20
May 15

mSpy Denies Breach, Even as Customers Confirm It

Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers.

myspyappmSpy told BBC News it had been the victim of a “predatory attack” by blackmailers, but said it had not given in to demands for money. mSpy also told the BBC that claims the hackers had breached its systems and stolen data were false.

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

Let’s parse that statement a bit further. No, the stolen records aren’t on the Web; rather, they’ve been posted to various sites on the Deep Web, which is only accessible using Tor. Also, I don’t doubt that mSpy was the target of extortion attempts; the fact that the company did not pay the extortionist is likely what resulted in its customers’ data being posted online.

How am I confident of this, considering mSpy has still not responded to requests for comment? I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy.

Joe Natoli, director of a home care provider in Arizona, confirmed what was clear from looking at the leaked data — that he had paid mSpy hundreds of dollars a month for a subscription to monitor all of the mobile devices distributed to employees by his company. Natoli said all employees agree to the monitoring when they are hired, but that he only used mSpy for approximately four months.

“The value proposition for the cost didn’t work out,” Natoli said.

Katherine Till‘s information also was in the leaked data. Till confirmed that she and her husband had paid mSpy to monitor the mobile device of their 14-year-old daughter, and were still a paying customer as of my call to her.

Till added that she was unaware of a breach, and was disturbed that mSpy might try to cover it up.

“This is disturbing, because who knows what someone could do with all that data from her phone,” Till said, noting that she and her husband had both discussed the monitoring software with their daughter. “As parents, it’s hard to keep up and teach kids all the time what they can and can’t do. I’m sure there are lots more people like us that are in this situation now.”

Another user whose financial and personal data was in the cache asked not to be identified, but sheepishly confirmed that he had paid mSpy to secretly monitor the mobile device of a “friend.”

Update, May 22, 10:24 a.m.: mSpy is finally admitting that it did have a breach that exposed customer information, but they are still downplaying the numbers.

REACTION ON CAPITOL HILL

News of the mSpy breach prompted renewed calls from Sen. Al Franken for outlawing products like mSpy, which the Minnesota democrat refers to as “stalking apps.” In a letter (PDF) sent this week to the U.S. Justice Department and Federal Trade Commission, Franken urged the agencies to investigate mSpy, whose products he called ‘deeply troubling’ and “nothing short of terrifying” when “in the hands of a stalker or abuse intimate partner.”

Last year, Franken reintroduced The Location Privacy Protection Act of 2014, legislation that would outlaw the development, operation, and sale of such products.

U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.

“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.

Akbar pleaded guilty to the charges in November 2014, and according to the Justice Department he is “the first-ever person to admit criminal activity in advertising and selling spyware that invades an unwitting victim’s confidential communications.”

Tags: , , , ,

39 comments

  1. Way worse than the breach, is the coverup. The story may now be taken as fact, the breach having been officially denied. Don’t companies ever get it?

  2. Diane Trefethen

    “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said.

    Ah sweet hypocrisy.

    • Robert.Walter

      Reminds one of the old bumper sticker:

      “Don’t Steal, the Government Hates Such Competition “

    • Note that the government doesn’t advertise and doesn’t sell such technology.

      They just make and/or buy it and use it. (On citizens. Without warrants.)

      So obviously that means they’re not being hypocritical at all…amiright?

  3. Brian
    Write that users of mspy would remove this program and changed passwords for email, apple id, google acc
    I don’t want that ordinary people would suffer
    In bases there are a lot of passwords

  4. Robert.Walter

    I find it interesting that the USAA’s statement limits itself to advertising and selling” as opposed to “selling and using”. Given that hat the “using” is wiretapping, I’d think the USAA would be hovering up data from this leak and start seeking indictments for the mSpy customers in her jurisdiction not possessing a signed disclosure/waiver document between themselves and the spied upon individual.

    • Robert.Walter

      Note: “hovering” should be “Hoovering” (an appropriate task for the Bureau.)

    • Did I miss something somewhere? What does USAA have to do with mSpy?

      • Ahh, ok – that makes sense.
        So it’s just a typo – proper acronym for that position is AUSA.
        Thanks!

  5. Jasmine Dubois

    I’m posting from Tor now and the mSpy dump site is up and running. Here’s the slashdot discussion, http://www.slashdot.org/story/276013 .

    Index of /

    ../
    keep/ 08-May-2015 10:33 –
    keep2/ 02-May-2015 16:00 –
    mailer/ 02-May-2015 16:00 –
    mcloud/ 02-May-2015 16:00 –
    monline_log/ 02-May-2015 16:00 –
    monline_main/ 02-May-2015 16:00 –
    monline_mobile_log/ 02-May-2015 16:01 –
    pay/ 02-May-2015 16:02 –
    pipe_queue/ 02-May-2015 16:02 –
    storage/ 02-May-2015 16:00 –
    bbc.txt 20-May-2015 20:21 44
    clusterscheme.txt 16-May-2015 09:45 1062
    readme.txt 18-May-2015 09:08 14767
    robots.txt 21-May-2015 10:32 1085

    Denying this exists now seems … counterproductive.

  6. Jasmine Dubois

    I’m posting from Tor now and the mSpy dump site is up and running. Here’s the slashdot discussion, http://www.slashdot.org/story/276013 .

    Index of /

    ../
    keep/ 08-May-2015 10:33 –
    keep2/ 02-May-2015 16:00 –
    mailer/ 02-May-2015 16:00 –
    mcloud/ 02-May-2015 16:00 –
    monline_log/ 02-May-2015 16:00 –

    Denying this exists now seems … counterproductive.

  7. These days, this news have been spread. Last week, I just discussed with my husband about which mobile spy app we should choose – mSpy or iKeyMonitor.
    Can’t believe that mSpy has been hacked and the data of customer was stolen!
    That’s the worst thing I worried a lot. I contacted with iKeyMonitor customer service, I was told the data recorded by iKeyMonitor can be stored to their own cell phones, and won’t be uploaded to its server or websites.

    • I’m not sure that is any safer. If you have a rooted or malware stricken device, all your data and that of your child are also at risk.
      I guess it’s up to the devil you know…

      • OP’s comment is an advertisement for a competing spyware company–the same message was posted in Kreb’s original article on this breach. Pay it no mind.

  8. I wonder how many actual cases there are of this sort of service actually saving someone’s child from a real threat.

    • There is a right way...

      This mobile software reminds me of legitimate PC based software from SpectorSoft. We used this years ago when we had a foster child with us and it saved them from a predator. The police took the screenshots of their chats and it was key evidence in sending that person to jail and a spot on the sex-offender list.

      So, if done correctly and data is kept to the owner/installer and not put online I can see a real-life use for such a thing.

      It certainly was worth the little cost in our and our child’s case.

      • Bahaha … I’m not off to join the dark side but seriously I could come up with better sounding spam than this 😀

  9. How can you outlaw such apps / uses? What about businesses that need to keep tabs on company owned devices? What about GPS software in trucks that not only provides navigation and routing for the driver, but also location data to the company? If you outlaw such tech, what happens to Apple’s Find My Friends?

    Granted, I have not looked deeply into any of the legislation, but ANY tracking app / tech /could/ be used nefariously, but that doesnt mean you outlaw it.

    You can argue both ways when it comes to using this on a childs device, but for many parents, in this age of unfiltered access to the web and people, keeping tabs on a childs digital life isnt all bad. Not to mention, these days, it is almost a requirement for a jr hi or older child to have a cellphone – and when a child has misused that device, but you still need to be able to reach them by phone / text, and them reach you, this is a good middle ground to monitor their usage after getting in trouble. In fact, we added a GPS device that tracks location and speed on one of our kids vehicles, should that be outlawed too?

    I’m far more concerned about the push to outlaw such technologies, then a breach coverup.

    • CJD, there is a massive difference between GPS tracking for fleet management, remote worker safety, etc… and secretly spying on someone’s whatsapp messages, logging keystrokes, and taking screenshots of the (potential) victim’s phone.

      IMHO, spyware tools should be outlawed or in the instance of national security, be authorised by an appropriate body. GPS is not under the threat of being outlawed.

      I am more interested in the possible class action, and how the data leak notification is going to be handled to customers and those being monitored.

  10. Certainly are both sides to this story and probably a 3rd side as there’s no concrete evidence but like many others data collected here as well as providing a service is also de-identified and sold to companies that do behavioral analytics. It’s all over in healthcare even to the point to where a hospital system buys up your credit card and Acxiom data broker information. Axiom now even issues credit cards for TD Bank if you can believe that one..scary stuff.

    So even beyond this breach, you have that going on as well. Casual spying “because you can” is never a good thing, you need a real good reason. I have had to do some surveillance work to check up on problematic employees and I don’t like it at all as it will change your perception of that person forever. When you have crooks operating out there though, there is a purpose of course but to spy on a spouse “just because you can” is not really good.

    I’ll be the devil’s advocate here and ask, how people would use this service knowing that on the backend information is collected, de-identified and sold to behavioral analytics companies? It might make some casual users think twice as that is happening in a huge way across the US. I follow healthcare and insurers quite a bit and the behavioral companies owed by United Healthcare that does such business will make your hair stand on end. Few talk about this but its $180 billion a year business with “scoring” consumers into corners where they can’t’ escape and get denied access.

    Think about that one, would people be so anxious to spy on others if knowing up front that the data will be sold? We need to index and license all data sellers so someone making a choice to use an app like this could be informed up front that the data collected is sold to behavioral analytics companies. In the case of this breach, you are putting someone else’s data at risk, so who do you trust. You can view the videos at my campaign page on this, been three years, have written to Franken and many more as without an index on who’s selling data, privacy is sunk as “who are they”.

    http://www.youcaring.com/other/help-preserve-our-privacy-/258776

    • It’s easy – its a form of unauthorized wire tapping. It doesn’t matter if both parties consent; its a form of wiretapping that typically needs judicial approval in the form of a warrant or, the sleazy way NSA or other agencies do it.

      No matter what – its an invasion of privacy, intimidation when it comes to any person over the age of 14.

      The government usually is reactive vice proactive, and in this case, its definitely in the procrasti-“nation” mode.

      • I don’t know how you can make the leap that “no matter if both parties consent it’s still wiretapping and is illegal.” So by the same logic, if a sales trainer has a conference call with a salesman he is training so he can hear how he gives his pitch, and they both agree on it beforehand…nope, that’s illegal, it’s wiretapping because he’s listening in on a call.

        In the case where the person is not informed or is informed but not given a choice, then of course I agree with you. But, for example, using a company computer, the employee can be told “This is your computer for use for your work only. Your work is not private from your boss. You should not use this computer for personal things. You have no right to privacy on this computer because it is the company’s computer, not yours.” How is your statement relevant?

        Also I agree with you completely if the government is doing it. Informed consent or not, the government has no business looking at anyone’s digital communications to others of any sort without a warrant. See the story on THAT aspect of things here: http://www.freedommag.org/issue/201505-patriot/patriot-games.html

        • Say on topic, this is about Mspy software usage; not some other “hype-pathical” concocted dream state.

  11. People spy on each other all the time, sometimes innocently and other times not. This has been going on for thousands of years. Companies “monitor” employee actions constantly, and some companies even periodically take screen snapshots of what’s happening on staff systems. In some cases these activities when legitimate catch fraud and crimes which would otherwise go unpunished.

    The spying in my thinking is not the issue, it’s spying without permission that is problematic.

    In some states you have to tell someone when you’re recording a phone call, in others you don’t. I believe we need uniform laws regarding privacy, but good luck getting everyone to agree with a standard.

    Surveillance has always been a fact of life, and especially those of us seeking internet fame give up privacy by default.

    I believe this is a complex issue which requires more debate and taking into account modern technology as many of the laws governing privacy are a bit outdated.

    • Its not rocket science at all. There is nothing complex about it. Just because its digital doesn’t make it any different from the physical world. The same general common sense privacy laws from the pysical world should apply in the digital world. period. wired laws should apply to wirless, etc…. cpu is not more suited for “remedial tasks” then gpu’s, its all lies. corporations are controlling us all.

      This should go for any type of spying technology and for any organization. As the Medical Quack has stated, its big business to sell data on people, and that should be against the law and our right to privacy. More awareness definitely needs to be brought to that, because that is a big issue in every spying situation. Its the reason “spying” exists. Laws against hidden technologies collecting and selling data on us will encompass everything under the sun. Including people spying on spouses. Big Data brokers are more of a problem then the NSA.

      Its as simple As you say…. was some form of spying technology put on my device, or local network, without my explicit permission? Is the fine print in TOS agreement sufficient warning? Although I guess its hard to make people care, and maybe a moot point when everyone accepts all the crazy permissions all these android apps want when it seems they shoudln’t need them. I laugh everytime. But these companies can’t be more upfront about it then they already are on the cellphones. And most people willingly give up all their privacy. But There is lots of spying done without our knowledge, and that should be against the law, and you don’t have to be a computer expert to the write legislation for it. It already exists.

      • Mario Lacroix

        Isn’t google account or Apple ID a form of “spyware” as well?
        One can find the device, install or remove apps remotely, or access e-mails from there right?
        OK, I agree it’s a service that we, as consumers, own (basic authentication and notifications, but it’s ours to control) and not part of a product that was sold or imposed (arguable), but once it’s compromised, you lost a lot of your data and privacy.
        If a law against all sorts of spyware comes into picture as they are mentioning here, are not those “services” framed there?
        So, to create a law that splits the group of unwanted software is not as easy as you can imagine… I have plenty of examples to consider: software to perform call recorders, sharing your scores or asking for “life” via social media friends, and so on… There is a need to consider the whole cloud based services here when defining this regulations.

  12. BBC just posted an update 2 hours ago:

    http://www.bbc.com/news/technology-32826678

    You are mentioned, good job!

  13. Hopefully, this recent breach will finally get mobile security companies to step up to the plate and do a better job at helping consumers protect themselves by detecting spyware through their apps. When I studied this issue a couple of years ago (http://www.techlicious.com/review/mobile-security-apps-perform-dismally-against-spyware/), mobile security apps performed very poorly against common spyware programs. The excuse from the security companies was the same as Hammad Akbar’s defense – since these apps “could” be used for “legitimate” purposes, like parental monitoring, they were defined as Potentially Unwanted Apps (PUA) and not flagged in many cases.

    Worse, the “independent” antivirus testing labs followed along with this logic so as to not “hurt certain vendors” (direct quote, by the way) who chose not to detect spyware.

    Change needs to happen. Thank you, Brian, for helping to shine sunlight into this seedy mess.

  14. You say blackmail and then extortion. They’re not the same thing.

    hxxp://criminal-law.freeadvice[.]com/criminal-law/white_collar_crimes/extortion_blackmail[.]htm

    • Yes, they are. That article sez :

      “Many states combine the crimes of extortion and blackmail under one general law.”

      In the mind of the person being harrassed, the legal definitions don’t matter much, as they are being harrassed or terrorized. It only matters when the perp is being prosecuted.

  15. President Donald J Trump

    Good article

  16. I don’t know if anyone reads these posts, but this is important to me. I have been the recipient of stalking and cyber stalking from an ex spouse for over two years. The individual stalking me used mspy on 3 of my devices to track me and harm me on multiple occasions. While he is being investigated via the police, I have been told that this type of stalking is very difficult to prove and prosecute – the law hasn’t caught up with technology. How do I find if my information (the victim not the individual who purchased the software) is part of the leak? My personal safety is at stake. if you have an answer please contact me.

    • Investigators figure out what the serial numbers are for each of the mSpy installations, then subpoena the mSpy corporation for the IP addresses of who accessed mSpy databases for the information, then go to the ISPs, etc. that own those IP addresses, then get more subpoenas to find out whose account was associated with those IP addresses at the times of those accesses. Accesses made from free public WiFi spots would be impossible to further trace, unless there were security cameras in operation in those spots. Lots of little pieces to find and tie together.

  17. Like, I say, there are more bad guys then China. And they all know how to spoof.
    The other point is are all the security experts the “a” boffins , sometimes a c/d might slip thru or someone with a MBA may be in charge. The common factor every one knows is that data was siphoned off to a third party. So is the data dynamic in storage or is it static in storage, why all the permissions to allow dynamic storage? Why the ability to read/write the data, when only read is needed?

  18. Brian :

    = quote begin :
    Another user whose financial and personal data was in the cache asked not to be identified, but sheepishly confirmed that he had paid mSpy to secretly monitor the mobile device of a “friend.”
    == quote end

    Appears this unidentified user might have illegally installed the software on the device of a “friend” and thus in the process caused a problem for that “friend”.

    Does the data in the dump have the telephone number of the mobile device, and if so, do your journalist ethics allow or require you to contact that “friend” to notify that person about the exposure of any of his/her personal information?