MOBILE SPYING SERVICE mSpy has leaked millions of sensitive records belonging to its customers, according to security researcher Nitish Shah via Krebs on Security.
Essentially providing spyware-as-a-service, mSpy is for people who want to snoop on their partner's mobile devices or for parents who want to see what their kids get up to on their smartphones.
That's all well and good for the creeps that use it, but when the service starts spilling the personal data of some millions of customers, ranging from usernames and passwords to text messages, encryption keys and iCloud details, the service becomes even more questionable.
The crux of the data leaks was an open database with no authentication that was simply left on the web by mSpy, enabling anyone with the nous to do so to query the database to get up-to-the-minute records on mSpy customers.
While the database has now been taken offline, Shah noted that the leaked information contained a private key that could allow for the tracking of mSpy users, as well as view details about the device the software was installed upon.
mSpy's software is already a minefield when it comes to thoughts on privacy, but such a data leak is most certainly a hefty breach in user privacy; we'd argue its deliciously ironic given that some of the people who had their privacy breached were essentially breaching that of others.
And the thing is, this is the second time in some three years that mSpy has suffered such a data leak. Shah reportedly tired to tell the company about the data leak but they apparently ignored him.
"I was chatting with their live support, until they blocked me when I asked them to get me in contact with their CTO or head of security," Shah told Krebs on Security.
The security-loving website the got a response from a bloke claiming to be mSpy's chief security officer but only giving his name as Andrew.
"We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure," Andrew told Krebs on Security.
"All our customers' accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers' emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."
It all sounds like quite a bit of bottom covering by mSpy and Krebs on Security detailed the company's lack of security in the past as well as a seemingly shady lack of clear details on where the firm is based.
The moral of the story here though is if you want to invade the privacy of others, then expect the same to be down to you. Right, now where did we leave that high horse... µ
Camera cracking cyber creeps
If you already own Fire and Echo devices...
Strictly Come DNSing
Kept you waiting, huh?