mSpy, a commercial spyware solution designed to help you spy on kids and partners, has leaked over 2 million records including software purchases and iCloud usernames and authentication tokens of devices running mSky. The data appears to have come from an unsecured database that allowed security researchers to pull out millions of records.
“Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months,” wrote security researcher Brian Krebs.
Bug hunter Nitish Shah found the data and notified mSpy about the leak but couldn’t reach anyone who could shut it down. He showed Krebs how to access the data, which included personal data on customers.
mSpy is a platform that allows parents to see what their children are doing online and, presumably, allow partners to keep tabs on each other. The app allows you to monitor “WhatsApp, Snapchat, Facebook, and other messaging apps” and tracks calls, SMS, and GPS data.
mSpy has leaked data before and Krebs reported a hack in 2015 that the company denied for a full week. This latest leak is less a hack than an oversight in database control.
I’ve reached out to mSpy for clarity on the breach.