iPhone Spyware-Maker Suffers Data Breach, Millions of User Records Exposed

Earlier this week, an avalanche of highly-sensitive personal data — including passwords, text messages, call logs, notes, contact info and more — belonging to millions of mSpy iPhone Spyware users, was “accidentally” exposed and published to the web.

mSpy is an internationally-known mobile software-maker. Their primary product allows “suspicious entities” (like your crazy ex-partner) to spy on the iPhone usage patterns of their target, and boasts online of its platform’s “highly-compatible, 100% secure, and easy to use interface.” 

However, as mobile security firm KrebsOnSecurity noted upon discovering the massive data breach, it’s already resulted in “millions” of private user records being exposed on the web — including any available Facebook and WhatsApp messages, as well.

“Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software,” the firm noted in its official press release, adding that “no authentication” was required to access the data. 

“Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months.”

It’s worth noting that, here in the United States, selling spyware software like mSpy is considered a criminal offense that’s regulated and punishable by law. It’s not currently known from which country mSpy is offering its platform for sale, however, as the company is said to have enacted extreme measures to shield even its own activities.

mSpy’s platform requires a user’s iCloud credentials in order to be set up properly on an iOS device, however, according to the present findings, no login credentials were needed to access the exposed data, which has apparently been taken offline within the last few hours.

Interestingly, this week’s data breach is actually the second to have impacted mSpy customer data on such a significant scale. Back in 2015, the firm found itself entwined in a similar predicament, where swaths of customer data wound up being published to the dark web.