UPDATED – see below

The makers of a SaaS (software-as-a-service) product that enables people to spy on their children’s and employees’ mobile devices “appears to have been massively hacked” according to Brian Krebs.

mSpy, whose cell phone tracking and monitoring software tracks “all activity in the background of the monitored phone including GPS location, web history, images, videos, email, SMS, Skype, WhatsApp, keystrokes and much more” aims to let “parents and employers keep a watchful eye over the people and things dear to them.”

It is, presumably, also possible to monitor others’ mobile devices without their knowledge using this software, but I should make it clear that mSpy is at pains to point out that its software is intended for legal use only.

Mr Krebs reports that last week, ‘a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.”’

[…]

“The exact number of mSpy users compromised could not be confirmed, but one thing is clear: There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations.”

And as Mr Krebs remarks, “it’s ironic that so many parents have now unwittingly exposed their kids to predators, bullies and other ne’er-do-wells thanks to this breach.”

(Image: KrebsOnSecurity)

I spoke with one of mSpy’s customer services reps via the company’s Live Chat facility, and she told me that the reports had not been confirmed, that they were sorry for “the frustration about our product” and that a public statement would be released “soon”:

Update 05/21/15

mSpy has continued to deny that this breach occurred, telling the BBC that “[there] is no data of 400,000 of our customers on the web” and that the company was “a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.” (That’s blackmail to you and me.) Brian Krebs points out, however, that although mSpy’s statement is strictly true, the customer data is available on the deep web – accessible only using Tor. Mr Krebs is confident of this because he “spent the better part of the day pulling customer records from the hundreds of gigabytes of data leaked from mSpy” and contacting the customers directly – easy to do when you’ve got their personal data. “All confirmed they are or were recently paying customers of mSpy.”

Mr Krebs goes on to note that the mSpy breach has caused comment on Capitol Hill, where Senator Al Franken has renewed his call to ban products like mSpy, which he calls “stalking apps”.

mSpy still hasn’t provided a public statement.

—-

Update 05/22/15

A day after denying it, mSpy has flip-flopped and admitted to the breach. Spokeswoman Amelie Ross told the BBC:

“Much to our regret, we must inform you that data leakage has actually taken place. However, the scope and format of the aforesaid information is way too exaggerated. Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption.”

She said that 80,000 rather than 400,000 customers have been affected by the incident.

The BBC also reports that the UK’s Information Commissioner’s Office (ICO) is now investigating mSpy and is “trying to find out where the company is based”.