14 DAY TRIAL // Sensitive information belonging to clients of mSpy, a spying service for mobile devices, has been dumped online, revealing emails, texts and payment data of more than 400,000 people.
It appears that an unknown attacker broke into the computer systems handling the data from mSpy clients and took everything they could find.
mSpy is a service that offers tracking and monitoring software for mobile devices. It is basically spyware advertised as a legal solution for keeping track of children and employees.
The mobile app has extended capabilities, such as retrieving call logs, impose restrictions to certain phone numbers, checking text messages, accessing emails, viewing browser history, peek into instant messaging activity (Skype, WhatsApp, SnapChat, Viber, Facebook).
Breach allegation dismissed as sabotage tactic from competitors
Security blogger Brian Krebs learned from an anonymous source that some of these details have been dumped on a website running on TOR anonymization network and that the content hosted is several hundred gigabytes in size.
According to the blogger, the data includes Apple IDs and passwords, tracking information, payment details for about 145,000 transactions, photos, security-related details, private email conversations and corporate email threads.
We reached out to mSpy and managed to talk to a representative, who denied having their servers breached, dismissing the news as a sabotage attempt from its competitors.
“This is a piece of black marketing against mSpy,” an mSpy representative using the name Olga Bright, told us in an online chat session on Saturday. When asked about the position held at mSpy, the representative said she was a sales manager.
mSpy advertises data encryption at rest and in transit
She also said that the service is 100% reliable as far as the security of smartphone monitoring is concerned, and that the activity logs are encrypted, both in transit and at rest on the server.
“mSpy provides a 100% secure solution for your smartphone monitoring. The activity logs transferred to our server are encrypted and stored anonymously to prevent third-party snooping and interception. We guarantee that no one else can access your data,” the representative told us.
This would contradict the information accessed by Krebs, but it would not be the first time a company tries to cover a security incident in order to maintain its business.
Olga Bright told us that mSpy has multiple branches in different parts of the world and at least one of them is located in the US (800 West El Camino Real, Mountain View, California 94040), which confirms the one found by Krebs in a court document touching on a trademark dispute. The other one is in the UK (145-157 St John Street, London, EC1V 4PW).