Spyware-as-a-service firm mSpy exposes customer data in second breach in three years

For the second time in three years parental control application mSpy experienced a breach of sensitive records.

Independent security researcher Nitish Shah discovered an exposed database containing the information of more than a million mSpy customers including usernames, passwords, private encryption keys call logs, text messages, contacts, notes and location data secretly collected from phones running the software of, according to KrebsOnSecurity.

The leaked data also included Apple iCloud usernames and authentication tokens of mobile devices running the spyware as well as what appear to be iCloud backup files.

The data was available for every customer who logged into the site or purchased an mSpy license over the past six months and the private key could allow anyone to track and view the information of a device running the software.

 Attackers would also be able to access Whatsapp and Facebook messages uploaded from mobile devices equipped with mSpy.

Shah told KrebsOnSecurity that he tried to alert the spyware company of his findings but said they ignored him. On Aug. 30 KrebsOnSecurity alerted mSpy and received a response on Sept. 4 thanking the researcher for reporting the issue but claiming the data was only accessible through a “few points.”

““We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure,” Andrew who only gave his first name, mSpy's chief security officer told Krebs. “All our customers' accounts are securely encrypted and the data is being wiped out once in a short period of time. ”

SC Media attempted to reach mSpy for comment but they have yet to respond.

Krebs noted that some of the points of access were his and that mSpy's Web site access logs, which were also exposed, allowed him to see his and Shah's activity on the site in real time.

The incident comes just days after an attacker reportedly breached the servers of similar mobile spyware-as-a-service company, TheTruthSpy, and stole logins data, audio recordings, pictures and text messages from mobile devices running the software.

Pravin Kothari, CEO of cloud security vendor CipherCloud, noted that while companies like mSpy allow parents to monitor their children via their smartphones, the underlying technology could be used to illegally without the company's permission to spy on business partners, co-workers and others.

“Depending on the year and measurement, anywhere from 10 percent to 35 percent of all data exposures and/or resultant data breaches in the cloud are likely caused by misconfiguration,” Kothari said. “Recently we have seen a barrage of cloud services and SaaS application breaches caused by misconfiguration and human error.”

He went on to say it's imperative that all data be kept in an encrypted format when stored in the database (as in this breach), or in use and in motion through the network, API's, etc as it enables the applications within the service to be secured by data encryption keys which are kept in different servers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.