Recently, we reported on a multitude of data leaks from two different spyware companies. Unfortunately, it’s a problem that is just not going away. Last week, yet another spyware company was found to have left millions of sensitive records exposed online without protection, KrebsOnSecurity reported. While mSpy’s services are designed to help people monitor the mobile phones of their children and partners, this is the second data leak they’ve had in three years.
The leak was discovered by a security researcher who found an mSpy database online with no authentication required. According to Krebs, the database allowed anyone to “query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software.”
Adding insult to injury, Krebs notes that anyone who found the database would have been able to freely peruse the Whatsapp and Facebook messages uploaded from mobile devices equipped with mSpy.
The database contained the username, password, and private encryption key for all users who signed up for mSpy’s services in the past six months. Plus, it held iCloud usernames and authentication tokens for phones running mSpy. Transaction details such as customer name, email address, mailing address and amount paid were also visible among the millions of records in the database.
mSpy’s track record for responding to breaches—including this one—seems to be lackluster, at best. In a previous data breach in 2015, hackers stole data from its servers and posted it on the dark web. After initially denying the breach, mSpy promised to double down on its security. But, as Krebs notes, two weeks later, they had still not removed links to screenshots of mobile devices running mSpy.
If organizations are trusted to collect and store such sensitive data, they need to be held more accountable. Given the frequency and number of cyberattacks on spyware companies the accountability bar seems to be low.
Get the full story at KrebsOnSecurity.