15 September 2020
Spyware has always been more of a hit or miss. Well, mSpy, popularly known for its security and keeping parents aware of their children’s activity on the internet has suffered a severe blow. This isn’t the first time that this spyware has come under the radar as it has drawn negative publicity ever since its launch in 2010. Later again in 2015, mSpy was involved in a data breach leak. Now, mSpy is involved in a huge controversy as it has allegedly leaked sensitive and personal information.
This means that the spyware has literally leaked millions of usernames, passwords and saved data. The report regarding this leak comes from Brian Krebs from KrebsOnSecurity. Supposedly, all private leaked information is now accessible through a database without an authentication. There’s no doubt that users of mSpy feel cheated considering that their private passwords and encryption keys are now made public on the open web. It gets even worse, the phones of those users subscribed to mSpy can even be tracked. The sad part is since mSpy tracks all user data over the web, leaked information also extends to browser information, including WhatsApp and Facebook messages and details.
Unfortunately, it seems like the company isn’t exactly cooperative. Nitish Shah, a security researcher who became of aware of this breach contacted the company but was quickly shut down and blocked. However, KrebsOnSecurity did contact mSpy and received the following e-mail from the company's Chief Security Officer:
We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.
The company since then has spoken up and places the blame on its developers as a so-called “technical mistake” rather than a purposeful leakage. The company has even accepted its flaw and apologized to its customers. Further information regarding the viewable data has been described as follows:
- From 5 million records (this is where millions from Brian Krebs article come from) of server error logs, there has been login and password information listed for 1241 accounts which is 0.044% of mSpy customer base. The considerable number of the passwords were incorrect, as error logs record failed login sessions.
- There is no way to use encryption keys mentioned in the article without access to the actual database, so they can not be used for any purposes.
- The lifetime of token mentioned in the article is short (about 24 hours) and thus was invalid by the time the problem was discovered.
- From the analysis of access to Kibana we see that there have been only 2 sessions with data deep research, recorded for India and US. We assume that these were Nitish Shah and Brian Krebs.