Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records

mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware. Krebs On Security reports: Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy's site and for mobile phone data collected by mSpy's software. The database required no authentication. Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said. In addition, the database included the Apple iCloud username and authentication token of mobile devices running mSpy, and what appear to be references to iCloud backup files. Anyone who stumbled upon this database also would have been able to browse the Whatsapp and Facebook messages uploaded from mobile devices equipped with mSpy. Other records exposed included the transaction details of all mSpy licenses purchased over the last six months, including customer name, email address, mailing address and amount paid. Also in the data set were mSpy user logs -- including the browser and Internet address information of people visiting the mSpy Web site.

And now....

[JustAnotherOldGuy]

"mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware."

And now they can spy on you!

Justice.

[WolfgangVL]

Let this be a lesson to them. Today it was Mspy... tomorrow it could be.. YOU!

MongoDB

[astrofurter]

I wonder if it was a MongoDB instance. IIRC their security model defaults to wide open to the world.

Surprise! Hard to hire good people to do evil.

[mangastudent]

It's a lesson we've seen many times before, if you're doing something fundamentally evil, if you're evil yourself, it's hard to hire good, competent help.

Someone else wondered if they used a database notorious for coming with wide open defaults. Doesn't matter, a competent person will investigate and implement the security that's appropriate. Competent managers and company owners will budget some time and money for Red Team penetration testing.

Of course, there are technical people out there who are both e

Almost used this..

[Michael Evanchik]

A friend asked me for something to install on his wifes cellphone, as he was seeing suspect activities (sad), we were about to go forward with this. But i said you have to think of the worst case scenario One which would be they would lock you out of your itunes account or delete information if not paid in Bitcoin in xdays. never thought of this one of top of head. All of your iphone data are belong to us now.

Re:

[Wulf2k]

If you're at the point where you're lojacking your wife's phone, it's probably time to break up anyway.

Either she's cheating, and you should leave, or you violate her trust, and she should leave you.

Hold them accountable

[omfglearntoplay]

Companies that screw up like this should have BIG penalties. I thought I read about some laws starting to happen in some places that will kick their asses, is that right?