mSpy data breach exposes thousand kids to online predators

Recently e-mails, text messages, payments, locations, and other data related with mSpy users were posted on the Deep Web, thousand of kids are at risk.

Last week, e-mails, text messages, payments, locations, and other data related with mSpy users were posted on the Deep Web.

mSpy, is a software-as-a-service product that officially was designed to allow parents to spy on the mobile devices of their children. mSpy was largely criticized because anyway it is considered a spyware, and now the debate is widening due to the massive data leakage.

“mSpy is the most popular monitoring and safety application in the market with millions of satisfied users around the globe. Our discreet software works by tracking all activity in the background of the monitored phone including GPS location, web history, images, videos, email, SMS, Skype, WhatsApp, keystrokes and much more. The easy to use control panel, 24/7 live customer support and 256 bit encryption makes mSpy the best solution out there for keeping your children safe and workers productive.” Explains the creators of mSpy.

The privacy advocated and security experts don’t agree with the creators of mSpy because the spyware could be used to potentially spy on any individual.

Since mSpy got hacked, there were multiple requests for the company to comment about it, but until now the silence persists.

The e-mails, text messages, payments, locations were all posted on a webpage hosted on the Tor network.

The leaked data also include four million events recorded by mSpy, Apple IDs and passwords, tracking data, and payment details.

“The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions.” reported the popular investigator Brian Krebs

Brian Krebs reported that in March 2015 approximately 40 percent of the mSpy users were parents interested in spy on their kids, this data makes the data breach even more disturbing because millions of children are exposed to predators due to the spyware.

“Assuming that is a true statement, it’s ironic that so many parents have now unwittingly exposed their kids to predators, bullies and other ne’er-do-wells thanks to this breach.” States Krebs.

The experts were investigating where about the possible location of the mSpy company, despite the official website reports offices in the United States, Germany, and the United Kingdom, according to historic Web site registration records, the company is tied to the UK firm MTechnology LTD that is now out of business.

Further analysis revealed that the “defunct” company “MTechnology LTD” was created by Aleksey Fedorchuk and Pavel Daletski, being Fedorchuk a Russian citizen and Daletski a British.

Brian Krebs reported that the US District Court of Jacksonville discovered a document related to dispute between the company mSpy and Daletski that indicated a U.S based address in 800 West El Camino Real, in Mountain View, Calif for mSpy.

In the same investigation for the U.S District Court of Jacksonville was discovered that Daletski is a director of a firm called Bitex Group LTD, based in the Seychelles.

The court in Jacksonville was investigating due to a lawsuit started by Retina-X Studios firm, a mSpy competitor based in Jacksonville, that commercialize a product similar to mSpy, called MobileSpy.

In the U.S, companies that offer mobile spyware services, caught the eyes of law enforcers, and in September 2014 Hammad Akbar( 31-year old) was arrested.

Hammad Akbar was the CEO of a company that made a software called StealthGenie, and was charged with “selling and advertising wiretapping equipment.”

“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release related with Akbar’s case.

Coming back to mSpy, the company advertises that the product works even on “non-jailbroken iPhones”, and if the FAQ of the program can be found:

“If you have opted to purchase mSpy Without Jailbreak, and you have the mobile user’s iCloud credentials, you will not need physical access to the device,” “However, there may be some instances where physical access may be necessary. If you purchase mSpy for a jailbroken iOS phone or tablet, you will need 5-15 minutes of physical access to the device for successful installation.”

I am interested to see how the law will act upon companies like these, in Europe and U.S since it’s not clear how legal these activities are, because they create privacy issues, but one thing is certain, more software like this will keep appearing since people like to spy on their loved ones.

About the Author

Pierluigi Paganini

(Security Affairs –  spyware, mSpy)