Spyware Service ‘mSpy’ Leaks Millions of Sensitive Records

Mobile spying service mSpy has leaked millions of sensitive records belonging to its customers.

That’s according to a new report from TechCrunch, which explains that the company — which sells software designed to let users spy on their children, partners, or anyone else they want to keep their eye on — left exposed more than two million records “including software purchases and iCloud usernames and authentication tokens of devices running mSky.”

mSpy is marketed globally as “monitoring software for parental control” but it is also widely used by people to track their partners, often to find clues about possible affairs.

The leaked data included the usernames and login credentials of the company’s customers, as well as the iCloud account information and WhatsApp and Facebook messages of the phones that mSpy software was monitoring. Security researcher Brian Krebs said the database was no longer available 12 hours before he published his report Tuesday, after he notified the company of the problem.

“Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased a mSpy license over the past six months,” writes Krebs.

This isn’t the first time mSpy has had a massive security breach. In 2015, KrebsOnSecurity reported that mSpy had been hacked. Denial after denial, mSpy later admitted its mistake to BBC that it had been a victim of a “predatory attack,” but even after two weeks of the original breach, the company still allowed access to screenshots on its servers from mobile devices.