The mSpy data breach is the kind of breach that I cover over on databreaches.net, but the privacy implications of this one are so severe that I thought I should note it here.
If you’re using spyware to spy on your children or a partner – regardless of whether you call it spying or “monitoring” or any other euphemism – note that you – and they can be exposed in a breach by companies that do not take adequate security protections.
Brian Krebs has been all over this breach. Today, he writes:
The mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.
The log file of the screen shots taken from mSpy-infested devices doesn’t store the actual screenshot, but instead includes incomplete links to the images. Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.
Read more on KrebsOnSecurity.com.
I think it’s less about apathy and more about data security professionals’ attitudes towards mSpy. A company that SELLS MALWARE got hacked, exposing data of people who were r00ted by their friends and family. If I were a law talking guy, I’d be salivating at the release of a prospect list of thousands of people who are going to be pretty pissed at a company and a friend/partner, and may be willing to pay for my services.
As a security professional though, I shrug my shoulders. Victims who practiced weak operational security by allowing people access to their mobile devices had their data outed because the service provider their “friend” used had equally weak security, and continue to show it well after they knew they had a problem. mSpy is shady and culpable, but not nearly so much as the folks who purchased their “services” to use on others.
A lot of the “victims who practiced weak opsec” may be kids whose parents gave them the phones. Or adults who, not being tech-savvy, trusted a spouse or partner to help them set up their phone.
I wonder if this will even make a serious dent in mSpy’s business.