Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mobile Spy Software Maker MSpy Hacked, Customer Data Leaked

Posted by samzenpus on from the have-some-information dept.

pdclarry writes: mSpy sells a software-as-a-service package that claims to allow you to spy on iPhones. It is used by ~2 million people to spy on their children, partners, Exes, etc. The information gleaned is stored on mSpy's servers. Brian Krebs reports that mSpy has been hacked and their entire database of several hundred GB of their customer's data has been posted on the Dark Web. The trove includes Apple IDs and passwords, as well as the complete contents of phones that have mSpy installed. So much for keeping your children safe.

42 of 79 comments (clear)

  1. And the NSA is grabbing it as we speak ... by BarbaraHudson · · Score: 2

    I guess some enterprising lawyer will also use it to troll for clients whose spouses have spied on them.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    1. Re:And the NSA is grabbing it as we speak ... by Anonymous Coward · · Score: 3, Informative

      You joking? The NSA already had this data.

    2. Re:And the NSA is grabbing it as we speak ... by Narcocide · · Score: 2

      I like this one better.

      1) allegedly hack into mSpy to steal data.
          * didn't need to do this part, because you already work for the NSA and have all the data, but it was fun anyway
      2) post stolen data to the darkweb (nobody there will ask if you simply downloaded it of your work intranet, they'll assume you just hacked mSpy)
      3) profit (and laugh while mSpy implodes under a dogpile of negative publicity, all cleanly deflected from your employer)

    3. Re:And the NSA is grabbing it as we speak ... by johnsnails · · Score: 5, Funny

      Oblig dilbert...

    4. Re:And the NSA is grabbing it as we speak ... by l0n3s0m3phr34k · · Score: 2

      "Parallel construction", just using an "illegal" channel to get the data to someplace where they can "legally" grab it.

    5. Re:And the NSA is grabbing it as we speak ... by justthinkit · · Score: 2

      Or this one:
      (x) make up most of the story.

      The math on what was taken doesn't add up. "Several hundred gigabytes" ~= 200GB. Users ~= 2M. Dividing and we find 100,000 bytes per person. What photo do you know that a modern cell phone camera can take that only uses 100,000 bytes? What other data is there? x & y coordinates of finger swipes?

      Yes, they could be transmitting things like web sites visited, but is that really a big deal?

      Or, this was a microscopic "break in" of a handful of accounts.

      --
      I come here for the love
  2. Everything has a bright side by fustakrakich · · Score: 5, Funny

    All your stuff is backed up... somewhere

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:Everything has a bright side by Anonymous Coward · · Score: 1

      ...all your datum are belong to us...

    2. Re:Everything has a bright side by Noah+Haders · · Score: 3, Funny

      I liked how when there was that kerfluffle over hillary's missing emails, a congressman wrote the NSA a letter directing them to retrieve the data.

    3. Re:Everything has a bright side by silentcoder · · Score: 3, Funny

      Linus used to say "Don't make backups, just stick your stuff on an FTP server and let the world copy it"... I don't think he meant that it was supposed to happen without your consent or knowledge however.

      --
      Unicode killed the ASCII-art *
  3. Don't make illegal items, except for us... by Anonymous Coward · · Score: 1

    The problem is this statement:

    Akbar was charged with selling and advertising wiretapping equipment.

    “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.

    So it is illegal to sell wiretapping equipment.
    Why are there so many companies selling and advertising such equipment to government agencies without being charged?

    1. Re:Don't make illegal items, except for us... by Narcocide · · Score: 5, Insightful

      Its a real simple marketing trick actually. Don't call it "spyware" or "wiretapping", call it "security" and "monitoring" and make sure to mention "for the children" and you're all good.

    2. Re:Don't make illegal items, except for us... by sysrammer · · Score: 1

      Pretty much.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    3. Re:Don't make illegal items, except for us... by Z00L00K · · Score: 4, Funny

      Akbar - It's a trap!

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    4. Re:Don't make illegal items, except for us... by gl4ss · · Score: 1

      they made the government official sign a NDA.

      and gave them some money back. that they can't disclose to their voters. because of the nda.

      --
      world was created 5 seconds before this post as it is.
  4. LOL by koan · · Score: 2

    I needed a good laugh.

    --
    "If any question why we died, Tell them because our fathers lied."
  5. Re:LOL by Narcocide · · Score: 3, Insightful

    Its cute how you assume most people can learn from their mistakes by tracing decision to result to cause to unintended effect.

  6. Encryption anyone? by Nyder · · Score: 1

    I'm pretty sure this is why you encrypt your database. But you know, whatever, cost money, might hurt the bottom line.

    --
    Be seeing you...
    1. Re:Encryption anyone? by TWX · · Score: 2

      There still needs to be a means to use the database. There also needs to be a means for automated software (ie, that which is installed as a client on the compromised phone) to authenticate into the database. There's going to be a weakness somewhere even for an encrypted database otherwise the database is useless. For all we know it was encrypted and it was compromised through a phone that had itself been compromised with the company's software.

      If that's how it happened, or if analysis of a compromised device gave the people what they needed to break in, then I really can't be sympathetic.

      --
      Do not look into laser with remaining eye.
    2. Re:Encryption anyone? by Em+Adespoton · · Score: 2

      If a system like this was properly designed, the data would be encrypted against a key held by the customer, and the company would never have access to decrypted data. As it is, it appears that every person using the service was in effect providing the company with all the data from the phone in question. What the company did with it after this point is irrelevant, as the information is already compromised.

      Based on the activities of the original owners, I wouldn't be surprised if someone got fired from the company, but didn't get their credentials revoked in time -- or they had already been making a backup of all the data. If one of the founders now owns a competitive product, this could be purely a method of taking out the competition.

      Or, it could be just a case of bad/lapsed security.

  7. Story useless without... by Anonymous Coward · · Score: 1

    Link?

  8. Probably true by Anonymous Coward · · Score: 2, Insightful

    Finding an old article on mSpy:

    "The mSpy technology aggregates the surveillance activity in a cloud-based, password-protected control panel, from which the user can send remote commands, including blocking access to certain programs, websites and apps, and can also restrict incoming calls or shut down and lock the phone. Now that themSpy monitoring software can be pre-installed on HTC One, Nexus 5, Samsung Galaxy S4 and iPhone 5s smartphones, the user no longer has to worry about smartphone compatibility with the software or obtaining physical access to the target phone. Smartphones with pre-installed mSpy can be purchased via the company’s website. The mSpy software-plus-smartphone bundle includes a one-year subscription to the premium mSpy software, which is priced at $200. The technology can capture a range of mobile data, including voice calls, emails, SMS, keystrokes, use of Viber, WhatsApp, Skype, chats, location and more. In order to avoid legal repercussions relating to invasion of privacy, MTechnology stipulates in its conditions that mSpy services must not be used for unauthorized surveillance and that users are required to notify people who are being monitored."

    Well things like Viber WhatsApp Skype etc. certainly we know they are NSA tapped. Skype was mentioned in the PRISM document, the later ones will be later additions to the PRISM program, Viber has long been suspect due to its founders connections to the Israel spy agencies.

    Location is intercepted on bulk by a lot of programs for advertising, and that location data is available to advertisers, so its available to NSA.

    Voice calls? We know they intercept 100% of calls in several contries as of 2012, that capability will have increased. Certainly in the US, or UK, its simply a matter of tapping in a number and the calls are automatically recorded. General collect it all would have intercepted it all because there was nothing to stop him.

    ermails? Intercepted.

    So yeh, even without having access to mSpy's database (likely hacked or since they are UK based, GCHQ would have slapped a secret demand for data on them, the kind that made Vodafone and BT assist in spying on Brits).

    1. Re:Probably true by Noah+Haders · · Score: 4, Informative

      A clarification, you can't install mspy unless you jailbreak your iPhone. I wouldn't be surprised if the Chinese jail breaking packages come with mspy pre-configured... Also, no jailbreak exists for iOS 8.3, the current version.

    2. Re:Probably true by stooo · · Score: 1

      >> prominent jailbreakers have already stated such things don't exist

      So they don't exist. Fact.

      --
      aaaaaaa
    3. Re:Probably true by drinkypoo · · Score: 1

      The only problem with your claim is that other prominent jailbreakers have already stated such things don't exist.

      Even if you're inclined to take people you don't know at their word, and I'm not, are you checksumming or otherwise verifying those downloads to make sure that they're intact? and even if you are, is anyone else?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Probably true by ConfusedVorlon · · Score: 1

      A clarification, you can't install mspy unless you jailbreak your iPhone.

      yes you can.

      http://www.mspy.com/faq.html

      it works by accessing the iCloud backup and extracting data from that.

      --
      VLC Remote for iPhone and Android
    5. Re:Probably true by Noah+Haders · · Score: 1

      first, a better link is here:
      http://www.mspy.com/compatibil...

      in order to access the icloud backup and "extract data", it needs to know the user's account password. It basically downloads the icloud backup onto another phone. L33T HAx0Rs!

      As a non-jeakbreak iphone user, I am always on the lookout for potential ways my phone can be hacked. When I find one, I'll let you know.

           

    6. Re:Probably true by Noah+Haders · · Score: 1

      The most recent jailbreak for 8.2 wasn't released by the old jail dal teams like redsnow or whoever. It was released by a new Chinese group nobody has heard of. Hmm, I wonder who they work for? Still FUD?

    7. Re: Probably true by Fnord666 · · Score: 1

      A clarification, you can't install mspy unless you jailbreak your iPhone. I wouldn't be surprised if the Chinese jail breaking packages come with mspy pre-configured... Also, no jailbreak exists for iOS 8.3, the current version.

      Incorrect

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  9. It's a real shame... by jenningsthecat · · Score: 5, Insightful

    ...that the data stolen belonged to people whose privacy was already being grossly invaded, rather than to the fuckwits who thought it was a good idea to spy on their family members.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    1. Re:It's a real shame... by rtb61 · · Score: 1

      I am sure 'MSpy' wrote in all sorts of stuff in the EULA to ensure that all your data belong to them. Perhaps they felt there was more money in selling the data than in looking after it. Unencrypted means only one thing, they did not care about keeping it secure internally ie they were already trawling through it all for the juicy bits. They do have a Seychelles office http://www.taxjustice.net/2014... which puts them immediately under extreme suspicion.

      --
      Chaos - everything, everywhere, everywhen
    2. Re:It's a real shame... by mwvdlee · · Score: 5, Insightful

      The people who's data was spied upon, never agreed to any EULA.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    3. Re:It's a real shame... by AmiMoJo · · Score: 1

      I wouldn't be so sure about that. Chances are that their Apple IDs and email addresses are exposed, as well as maybe some embarrassing photos if they are the partner of their victim. An Apple ID is all it took to crack all those celebrity iCloud accounts because their passwords and recovery info were usually easy to guess. In this case the names and probably birthdays of their families are known, their anniversary date etc.

      Any CEOs or politicians involved should be worried.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:It's a real shame... by MooseTick · · Score: 1

      You eventually have to move. You don't HAVE to have an iPhone. Many of us survived decades without one.

      --
      Ninjas don't carry tic tacs
  10. This is actually great by DoofusOfDeath · · Score: 2

    Can you imagine the number of lawsuits this is going to bring against the people who installed it?

  11. How does iPhone spyware even work? by Just+Some+Guy · · Score: 1

    Say I want to spy on my kid. (I don't, but work with me here.) How would that software work? Short of jailbreaking the phone, I can't imagine what iPhone spyware would look like. Would said kid have a Spy On Me app that she'd need to run from time to time? Even keyboard replacement apps are somewhat vetted in what information they send to their vendors, and I don't think they have access to photos, email, or anything else but the keyboard.

    --
    Dewey, what part of this looks like authorities should be involved?
    1. Re:How does iPhone spyware even work? by Just+Some+Guy · · Score: 4, Informative

      Never mind - I found it myself. Short answer: either jailbreak the phone or give them your victim's iCloud credentials so they can trawl the backup files.

      --
      Dewey, what part of this looks like authorities should be involved?
  12. MSpy Tor Onion Address? by Anonymous Coward · · Score: 2, Insightful

    Well, ok, so what is the onion address?
    We can't really evaluate this stuff without the source.

    1. Re:MSpy Tor Onion Address? by Anonymous Coward · · Score: 3, Informative

      Not that it helps because the hoster has said they have disabled the downloads for 1-2 days but its

      http://mspycomkftki3h54.onion/

  13. Re:Choose iKeyMonitor spy app. by l0n3s0m3phr34k · · Score: 1

    "Can't believe that it has been hacked" Really? I'm honestly surprised it took this long, and these types of apps are very high-value targets for scammers and their hacker helpers.

  14. Mobile Spy Software Maker MSpy Hacked by nickweller · · Score: 1

    What was the nature of the hack? What Operating System and platform does MSpy keep its customer database on?

  15. Not much data by Anonymous Coward · · Score: 1

    "Several hundred GB" divided by "~2m people" equals "a couple hundred KB per person."

    These days, that's a tiny amount of data to be "complete contents"