This week, Krebs on Security revealed that mSpy leaked the data of millions of paying customers online, including passwords, call logs, text messages, contacts, notes, location data and even Apple iCloud usernames and authentication tokens. mSpy is software that can be installed on devices and used to snoop on kids, partners and more. The company has since taken the database down.
According to Krebs on Security, the data was easily accessible and required no authentication. It was an “open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software,” they said in a blog post.
The breadth of data exposed was massive, from secure passwords to names, email addresses and uploaded Facebook and Whatsapp messages. When Krebs on Security notified the company of the data leak via its online chat service, the live chat support person reportedly blocked him. A representative of the company later reached out, thanking Krebs on Security for alerting them to the leak and saying that the data had since been taken down.
But, as Krebs on Security points out, this is hardly the first customer data leak that the company has faced. In May 2015, their database was hacked and customers’ data was posted on the Dark Web. Not to mention that the very nature of this software, which is essentially invasive spyware for profit, is incredibly shady. Regardless of how much you want to spy on a person’s mobile device, it’s probably not worth trusting your (and their) personal data to a company like this.