If you haven’t heard of mSpy, it’s probably for your own good. MSpy is not far removed from the Black Mirror episode, “Arkangel,” when the mom installs a chip in her child’s head to monitor what she’s seeing and feeling. But now it’s invisible monitoring through smartphones.
The company is under serious trouble again as it recently leaked millions of sensitive records concerning personal passwords, text messages, contacts, notes, and even location data for mSpy users, according to a report published on Tuesday by KrebsonSecurity.
MSpy is a company that makes software that claims to spy on your children and loved ones to make sure they are safe. Just a simple download and now you can monitor your child or your partner’s calls, messages, social media use, and even GPS location. The app is available for both iOS and Android devices.
Other than usernames and passwords, the database also had Apple iCloud backup files and gave people the ability to browse personal WhatsApp and Facebook messages for people with mSpy installed on their phones—all without any authentication. This open-source database was later taken down after 12 hours.
When security researcher Nitish Shah contacted the company, the support personnel ignored his request to speak with the chief technology officer or head of security, later quoting that they were “working hard to secure our system.”
This isn’t the first time mSpy has had a massive security breach. In 2015, KrebsOnSecurity reported that mSpy had been hacked. Denial after denial, mSpy later admitted its mistake to BBC that it had been a victim of a “predatory attack,” but even after two weeks of the original breach, the company still allowed access to screenshots on its servers from mobile devices.
Despite the high demand for mSpy, U.S. regulators and law enforcers are not impressed with these types of surveillance companies. In 2014, Hammad Akbar, 31-year-old CEO of spyware app called StealthGenie, was charged with selling and advertising wiretapping equipment.
“Selling spyware is not just reprehensible, it’s a crime,” the U.S. Department of Justice wrote in a press release. “The Criminal Division is committed to cracking down on those who seek to profit from technology designed and used to commit brazen invasions of individual privacy.”
H/T KrebsOnSecurity