This post was originally published on June 1, 2015.
Sometimes the irony is just too much. First reported by Krebs on Security, spyware-as-service provider mSpy was hacked two weeks ago but denied everything — until the evidence became so overwhelming they had no choice but to admit the truth. For a company that provides mobile apps to track children, spouses, and employees and then confront them with proof of their ill deeds, this situation and the accompanying denial might be kind of funny, if it weren’t for the fact that 80,000 consumer records — and the data of spied-on parties— are now available on the dark web. Here’s what happened.
Leaked data
It all started when Krebs got a message from an anonymous source linking to a TOR site which contained “several hundred gigabytes worth of data taken from mobile devices running mSpy’s products.” The hackers responsible claimed that they had accessed more than 400,000 records including over 145,000 containing information about successful payment transactions. Considering that users are paying anywhere from $8.33 to $799 for subscription services to mSpy, this was big news.
For its part, mSpy denied everything. Their official statement was that, yes, they’d been the victim of a “predatory attack,” but the company hadn’t responded to demands for money. The spy-software maker also went on to say that “there is no data of 400,000 of our customers on the web.” This is an interesting turn of phrase, since it’s technically true — no part of the public Web contained this data, only the anonymous dark Web underbelly. Brian Krebs spoke to a number of current and former mSpy customers from the list of hacked accounts released, and all confirmed their details. In other words, the attack was successful.
The truth will come out
According to a May 21st article from the BBC, mSpy has now admitted that malicious actors compromised their systems, but claims only 80,000 records, not the reported 400,000 were stolen. The company also says they’ve reached out to affected customers and “put in place all the necessary remedial measures and continue to work on mechanism of data encryption.” Work on? Sounds like the kind of thing that should have been in place before this kind of breach occurred.
To make matters worse, mSpy doesn’t seem to have a physical address — it may operate out of the UK, the United States, or possibly Germany. The most likely home base is California, where the company is under fire from Senator Al Franken, who says the software is “nothing short of terrifying.”
Big deal?
So here’s the big picture. The mSpy software is used by parents, spouses, and employers to track the mobile device use of unwitting individuals. Those being tracked don’t know that some of their personal information is in the hands of a third party, and certainly have no idea they’re at risk. What’s more, those paying for the service are at risk since any data breach means both the potential theft of credit card data and the targeted individual finding out they’ve been the subject of what amounts to an Internet stalking campaign. In short, it’s small wonder that mSpy and similar offerings haven’t been hacked before, but it’s clear they weren’t prepared for the assault and certainly weren’t prepared to take responsibility.
Of course, mSpy makes an easy target now that they’ve both been breached and made the truly awful PR choice of denying it ever happened. But they’re not the only spy software game in town. As noted by Net Security, the Korea Communications Commission has now passed legislation making it mandatory for telecoms providers and parents to install monitoring apps on the smartphones of minors. As one of the world’s most connected countries, this creates a treasure trove of data for hackers to target. MarketWatch, meanwhile, lists five popular apps for monitoring your spouse’s smartphone activity. All come with the disclaimer that you need to get permission from the to-be-tracked party before using the app, but that’s nothing more than legal window dressing.
Bottom line? You might be under surveillance by friends, family, or your employer and not even know it — and if these people don’t do their homework, they could be putting your data at extreme risk.