Company working on data encryption mechanism

May 22, 2015 10:04 GMT  ·  By

Mobile spying service mSpy admitted that its network had been breached and that the highly sensitive data published online by the attackers at the beginning of the month belonged to tens of thousands of its customers.

Last week, it emerged that hundreds of gigabytes of information from mSpy subscribers were dumped on various websites available through the TOR anonymity network.

mSpy denies having been hacked

A report from security blogger Brian Krebs indicated that over 400,000 individuals were impacted, as tracking details, emails, texts and payment info were leaked, indicating a compromise of the company’s systems.

In a conversation with a representative of the company last week, Softpedia was told that there was no truth to the reports and that the alleged breach was nothing but a “piece of black marketing against mSpy.”

Other publications were also informed in the following week that the data posted online was fake and that no breach had occurred, despite evidence pointing to the opposite.

mSpy’s spokesperson added that the information passing through their systems was 100% secure thanks to encryption being applied for data at rest and in transit.

Regretfully, mSpy customer data was stolen

Almost a week later, mSpy recanted its statement and admitted to the BBC News service that its systems had indeed been hacked.

“Much to our regret, we must inform you that data leakage has actually taken place,” spokeswoman Amelie Ross told BBC News, adding that 80,000 mSpy customers were affected.

Ross also said that the company sent notifications to clients “whose data could have been stolen,” informing them of the current situation.

Furthermore, the representative said that the service took steps to fix the issue and to prevent similar incidents from happening by strengthening the data encryption mechanism used for data protection.

Unsatisfied blackmailers release sensitive info

The reason behind the breach was financial gain, as the company confirmed that it was targeted by blackmailers. However, mSpy did not give in to the demands and the attackers carried on with their plan, dumping the files online.

In the database he examined, Krebs found payment info for about 145,000 transactions, Apple ID passwords, photos, calendar data, corporate email threats and private conversations.

The risks for those impacted are obvious, as attackers could target them for blackmailing, online accounts hijacking or for emptying bank accounts with little effort.