mSpy, Mobile Spyware firm hacked, thousands of customers data leaked on Dark Web

Mobile Spyware Firm mSpy Hacked, Client Data Exposed To Cyber Bullies

mSpy, a mobile spyware firm whose database has appeared on the Dark Web seems to have been severely hacked last week. Apparently, huge amount of data posted on the Dark Web like text messages, emails, Apple IDs, payment details, passwords, photos and location data for mSpy users have all been exposed, as reported on the KrebsOnSecurity website, who broke the story about the apparent yet to be confirmed breach.

mSpy’s technology is sold as a means for parents and employers to secretly spy on kids and employers, as its corporate blurb explains:

mSpy is the most popular and user-friendly application for watching over your kids, preventing theft and supervising your employees’ performance. The mobile monitoring software runs invisibly on the target device to track all activity, including call log history, GPS location, calendar updates, text messages, emails, web history and much more.

The firm that talks about two million users and develops technology for Windows, iOS, Android, and Mac PCs has yet to comment on the apparent breach. The unknown hackers behind the leak suggest the database contains details of more than 400,000 mSpy that is only reachable via Tor, includes Apple IDs and associated passwords, tracking data, and payment details on some 145,000 successful transactions. Tor, is a technology that allows users to hide their true internet address and let’s users to host websites that are very difficult to get hacked.

One can hardly feel sympathetic towards mSpy for being victimized, as the real victims of the apparent breach are without any doubt the targets of spy rather than the firm itself.

Global security strategist at Metasploit maker Rapid7, Trey Ford commented: “People being spied on were having their information stolen by one party, and it’s now moving rapidly through the underground.

“Not only is the legality of installing this software questionable (CFAA, etc.), but those who have the software on their devices have had their lives laid out in an uncontained information disclosure – it’s highly unlikely the victims of this crime will understand the extent of the damage for a very long time, if ever,” he added.

“This underscores how sensitive information may not necessarily be protected by regulations and auditors. Corporate executives are effectively information owners, responsible for the data collected, how it is stored and protected, and what to do when something happens,” he added.

Well-known and respected journalist Brian Krebs from his investigations of the data dump said that one thing is clear “There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations. Also included in the data dump are thousands of support request emails from people around the world who paid between $8.33 to as much as $799 for a variety of subscriptions to mSpy’s surveillance software.”

There is no clarity as to where mSpy is based. The company’s website does not appear to list an official physical address, it suggests that it has offices in the United States, Germany and the United Kingdom. On the other hand, the historic website registration records show that the company is attached to a now non-functional firm called MTechnology LTD, which is based out of the United Kingdom.

Documents obtained from Companies House, an official register of corporations in the U.K., point that the two members who founded the company are self-described programmers, Pavel Daletski and Aleksey Fedorchuk. Those records (PDF) show that Daletski is a British citizen, and that Mr. Fedorchuk is from Russia. None of them could be contacted for comment.

Court documents (PDF) obtained from the U.S. District Court in Jacksonville, Fla. about a trademark dispute involving mSpy and Daletski state that mSpy has a U.S.-based address of 800 West El Camino Real, in Mountain View, Calif. Those same court documents state that Daletski is a director of a firm based in the Seychelles called Bitex Group LTD. The lawsuit was interestingly brought by Retina-X Studios, an mSpy competitor based in Jacksonville, Fla. that manufactures a product called MobileSpy.

Law enforcers and U.S. regulators have taken a distinct view of companies offering mobile spyware services like mSpy. mSpy also describes that its product works even on non-jailbroken iPhones, allowing the users to log into the device holder’s contacts, text messages, call logs, events, browser history and notes.

The company’s FAQ states that “If you have opted to purchase mSpy Without Jailbreak, and you have the mobile user’s iCloud credentials, you will not need physical access to the device. However, there may be some instances where physical access may be necessary. If you purchase mSpy for a jailbroken iOS phone or tablet, you will need 5-15 minutes of physical access to the device for successful installation.”

In March 2015, a public relations spokesperson from mSpy had told KrebsOnSecurity that roughly 40 percent of the company’s users are parents who are interested in keeping a watch on their kids. If we consider this statement to be true, it would be ridiculous to see that so many parents have now unknowingly disclosed their kids to bullies, predators and other nerds due to this breach.