mSpy Admits a Data Breach After Vigorous Denial

Mobile spyware and child monitoring firm mSpy admits to being approached and given terms by blackmailers but denies the recent reported data breach of its customers.

Recently, Brian Krebs, a well-known investigative reporter with focus on security, revealed to the world that sensitive data pertaining to financial information, privacy, chat logs, emails, photos and location data, passwords, text messages, Apple IDs and more had been stolen from mSpy, with the breach accessing data of hundreds of thousands of customers.

mSpy’s controversial technology is sold to parents and employers to ‘spy and snoop’ on their family members and employees. The following in an excerpt taken directly from mSpy’s website reads: “mSpy is the most popular and user-friendly application for watching over your kids, preventing theft and supervising your employees’ performance.

Our mobile monitoring software runs invisibly on the target device to track all activity, including call log history, GPS location, calendar updates, text messages, emails, web history and much more.”

The Data Breach and its Initial Denial

Kerbs reported that an anonymous source contacted him after making the discovery of a Tor-based site that hosted hundreds of gigabytes of the hacked customer data from the data breach.

“mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked,” wrote Krebs. “Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, and payment and location data on an undetermined number of mSpy “users.”

Following these allegations however, mSpy firmly denied the data breach had occurred and added that such claims were untrue. The firm also added that it was on the receiving end of several blackmail requests and such threats are of the norm.

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told BBC News. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.

“We have received frequent threats of similar nature, pursuing financial gain ‘or else’ and have just received a number of those in recent weeks,” said the firm. “We never have or ever will fall for provocations of third parties, and our only response for such ‘ventures’ will be further securitization of any corporate and customer related data.”

The Acknowledgement

After the unknown hackers responsible for the data breach suggested that data had been dumped on a Tor-based website along with the claims of Brian Kerbs, mSpy admitted to BBC News that data had in-fact been stolen.

“Much to our regret, we must inform you that data leakage has actually taken place,” spokeswoman Amelie Ross told BBC News.

“Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.

The Controversy

Minnesota senator Al Franken has been a staunch opponent to the company’s technology comparing it to “stalking apps” and that it is “nothing short of terrifying” for user privacy.

In addition to wanting the government to investigate the company, the Senator has written to the Federal Trade Commission and the Department of Justice, saying: “I believe every American has a fundamental right to privacy, which includes the right to control whether and with whom personal, sensitive information – including location data – is being shared.”