Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records

mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware. Krebs On Security reports: Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy's site and for mobile phone data collected by mSpy's software. The database required no authentication. Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said. In addition, the database included the Apple iCloud username and authentication token of mobile devices running mSpy, and what appear to be references to iCloud backup files. Anyone who stumbled upon this database also would have been able to browse the Whatsapp and Facebook messages uploaded from mobile devices equipped with mSpy. Other records exposed included the transaction details of all mSpy licenses purchased over the last six months, including customer name, email address, mailing address and amount paid. Also in the data set were mSpy user logs -- including the browser and Internet address information of people visiting the mSpy Web site.

main screen turn on

all your base are belong to us

Lay down with dogs

And you get Maginault Newman'ed like a fucking moron-in-Chief

And now....

[JustAnotherOldGuy]

"mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware."

And now they can spy on you!

Justice.

[WolfgangVL]

Let this be a lesson to them. Today it was Mspy... tomorrow it could be.. YOU!

Cue the NSA supporters...

If you are doing nothing wrong, you have nothing to hide.

Re:Cue the NSA supporters...

If you are doing nothing wrong, you have nothing to hide.

Interestingly enough, the ones saying this probably have plenty that they'd like to hide, intelligence agencies and private individual shills or uninformed people alike. Perhaps if NSA surveillance bites the latter in the ass hard enough, they will realize that they actually do have things to hide that aren't illegal.

Re: Cue the NSA supporters...

The "not having anything to hide" argument starts with the faulty premise that privacy is about hiding a wrong

Re: Cue the NSA supporters...

In Soviet America, *everything* is illegal.

Remember, 95% of the souls locked up in the American Gulag were coerced into "confessing" and never convicted by a jury of their peers.

Re: Cue the NSA supporters...

On the other hand, prisoners in the US have a better life than pensioners in Putin's people's paradise.

MongoDB

[astrofurter]

I wonder if it was a MongoDB instance. IIRC their security model defaults to wide open to the world.

Re: MongoDB

But it's webscale so it's ok.

Surprise! Hard to hire good people to do evil.

[mangastudent]

It's a lesson we've seen many times before, if you're doing something fundamentally evil, if you're evil yourself, it's hard to hire good, competent help.

Someone else wondered if they used a database notorious for coming with wide open defaults. Doesn't matter, a competent person will investigate and implement the security that's appropriate. Competent managers and company owners will budget some time and money for Red Team penetration testing.

Of course, there are technical people out there who are both evil and at least somewhat competent, but they're probably somewhat hard to find and hire, and they're by definition dangerous to employ.

Almost used this..

[evanchik]

A friend asked me for something to install on his wifes cellphone, as he was seeing suspect activities (sad), we were about to go forward with this. But i said you have to think of the worst case scenario One which would be they would lock you out of your itunes account or delete information if not paid in Bitcoin in xdays. never thought of this one of top of head. All of your iphone data are belong to us now.

Re:Almost used this..

[Wulf2k]

If you're at the point where you're lojacking your wife's phone, it's probably time to break up anyway.

Either she's cheating, and you should leave, or you violate her trust, and she should leave you.

Re: Almost used this..

Just turn on Google location history for her. Then Google does the work for you (as if they aren't tracking her already).

Hold them accountable

[omfglearntoplay]

Companies that screw up like this should have BIG penalties. I thought I read about some laws starting to happen in some places that will kick their asses, is that right?

Think of the Childrens! #freedumbs

So brave. So free!

they seemed good for all this time...

Hi, folks!
I've been using it for 7 months. Support staff was always responsive, didn't know they could possibly not to respond on somebody's request. Anyway, I found an official statement on their blog: https://blog.mspy.com/dont-panic-your-data-is-safe-blog-mspy/