14 DAY TRIAL // mSpy, the company behind a mobile app designed to help its users spy on Android or iPhone devices, leaked millions of records containing sensitive information such as text message logs, passwords, phone contacts, location, all of it collected by their app while secretly running int he background.
More precisely, security researcher Nitish Shah found that mSpy's internal databases for all collected data and customer transactions could be accessed without any authentication.
Moreover, according to Shah, mSpy's open to the Web database included everything from username and passwords to Whatsapp and Facebook messages. It also provided access to real-time records, as well as private encryption keys of each mSpy customer who logged in or bought a mSpy license over a period of six months.
“I was chatting with their live support, until they blocked me when I asked them to get me in contact with their CTO or head of security,” Shah said.
mSpy took the database offline after four days
After seeing that mSpy ignored his alerts regarding their exposed database, Shah got in contact with cybersecurity expert Brian Krebs which confirmed his findings and wrote a full report on the incident.
Krebs also contacted mSpy and, four days later, the database was taken offline and Andrew, the company's supposed chief security officer, responded to his alert.
In his response, mSpy's representative said that "Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.”
It is important to note that this is not the first time mSpy has leaked their customers' private data online because the company also got hacked in May 2015 and their entire database appeared on the Dark Web.