- Mobile Spyware Solution mSpy exposes over 2 million sensitive records of its customers
- Security researcher Nitish Shah discovered the database with no authentication and allowing anyone to access it.
- The database contains sensitive details such as username, passwords, text messages, logs and iCloud data.
- The researcher notified the company about the breach and database has been taken offline
mSpy a mobile and computer parental control monitoring software has leaked over 2 million sensitive records of its customers.
mSpy is a spyware solution designed for customers to spy on the mobile devices of their kids and partners.
The incident was discovered by security researchers Nitish Shah via KrebsOnSecurity and said they discovered a database of mSpy with no authentication on the web and allowing anyone to access the data collected by mSpy of its customers.
The exposed data includes passwords, call logs, text messages, contacts, notes location data. The username, password and private encryption key of mSpy customers who logged in to the mSpy site or purchased mSpy license over the past six months were also exposed in the breach.
In addition to that, the database also includes iCloud data such as username and authentication token of mobile devices which are running on mSpy.
The attackers could also browse the Whatsapp and Facebook messages uploaded from mobile devices through mSpy software.
“Other records exposed included the transaction details of all mSpy licenses purchased over the last six months, including customer name, email address, mailing address and amount paid. Also in the data set were mSpy user logs — including the browser and Internet address information of people visiting the mSpy Web site.”
Researchers said he tried to notify the company about the breach through their live chat support and they blocked him when he asked them to help him to contact their CTO to report it.
KrebsOnSecurity notified the breach to the company on August 30th, and now the database is taken offline and secure.
“We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted, and the data is being wiped out once in a short period of time” said in an email by the mSpy chief security officer to KrebsOnSecurity.
This is the second time in 3 years the company leaks sensitive data of their customers, earlier in 2015 also mSpy has leaked their customer’s data.
You may be interested in reading: MagnetoCore Malware has already Infected more than 7000 E-Commerce Websites