mSpy, a company which makes spyware used by suspicious parents and partners to spy on iPhone usage, has accidentally exposed millions of private records on the web. Data exposed includes passwords, text messages, contacts, call logs. notes and location data …
The breach was first reported by KrebsonSecurity.
Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.
Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said.
Krebs adds that anyone accessing the data would also be able to browse WhatsApp and Facebook messages.
mSpy was previously hacked, back in 2015, with customer data posted to the dark web. The company goes to some lengths to hide its own activities, including the country in which it is based. In the US, selling spyware is a criminal offence.
The spyware requires iCloud credentials in order to be set up, but no login was required to access the exposed data.