A mobile app that can help people spy on Android and iPhone users, whether they’re spouses or children, has leaked millions of sensitive records, including passwords, call logs, text messages, contacts, notes, and location data. What’s more disturbing is that mSpy, the app in question, just suffered the second major security breach in three years. So you’re probably better off not using it going forward.
Security researcher Nitish Shah first discovered the breach. But his alerts were ignored by the company until KrebsOnSecurity contacted mSpy:
The exposed database also contained other sensitive data, including iCloud username and authentication token of mobile devices using mSPy and iCloud backup files. Also, transaction details of mSpy licenses purchase in the last six months were exposed, including the name of the buyer, email address, mailing address, and amount paid.
mSpy’s chief security officer contacted KrebsOnSecurity to assure the blog that steps were taken to prevent the leak, and imply that the data wasn’t misused:
As the report points out, it’s unclear who’s behind mSpy, but the company does say it has over one million paying customers, and many of them will not be happy to hear about these security issues. The full report also details the previous mSpy security breach, and it’s worth a read, during which hackers posted on the Dark Web the customer data they had stolen.