mSpy: Spy app for parents leaks millions of sensitive records of customers and targets online

• Millions of records including passwords, text messages, call logs, contacts, notes and even location data covertly collected from phones running mSpy were leaked.
• This is the second time in three years that mSpy has experienced a security incident.

Mobile spyware maker mSpy accidentally leaked millions of personal and sensitive records of users and targets online. The software-as-a-service bills itself as the "ultimate monitoring software for parental control" to spy on the mobile devices of their children or partners.

According to a report by cybersecurity expert Brian Krebs, security researcher Nitish Shah alerted him to an open online database without password protection that allowed anyone to look for up-to-the-minute mSpy records for both customers and targeted mobile devices.

Trove of sensitive data exposed

The exposed database contained millions of records including passwords, text messages, call logs, contacts, notes and even location data covertly collected from phones running mSpy. It also included the username, password and private encryption key of every mSpy customer who logged into the site or purchased an mSpy license over the past six months. The private encryption key allows anyone to view and track details of the mobile device running the software.

Apple iCloud usernames, authentication tokens, references to iCloud backup files as well as WhatsApp and Facebook messages uploaded from mobile devices running mSpy could be viewed as well. Other exposed records included transaction details of mSpy licenses purchased over the past six months such as customer name, email address, mailing address and amount paid.

mSpy user logs including browser and Internet address information of people visiting the mSpy website were also listed in the database.

Official response to the incident

Shah said he attempted to alert mSpy of his findings, but was reportedly ignored and blocked by the firm's support team.

“We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure,” mSpy's chief security officer Andrew told KrebsOnSecurity. “All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.”

This isn't the first time mSpy has experienced a security incident.

In May 2015, mSpy was targeted by hackers who posted its customer data - including emails, text messages, payment and location data - on the Dark Web. The company initially denied suffering a breach. However, it later admitted to the BBC that it was the victim of a "predatory attack" by blackmailers, noting that they had not given in to the attackers' demands for money.