Mobile surveillance software firm mSpy suffers data breach

Mobile surveillance software firm mSpy has suffered a breach that exposed sensitive information from millions of users.

Customer support tickets dating back around 10 years were hacked and leaked by as yet unidentified attackers. The leaked dataset from mSpy’s Zendesk-powered customer support system was made available to DDoSecrets, a nonprofit transparency collective, and subsequently verified as genuine by TechCrunch and independent security experts.

According to breach notification service Have I Been Pwned (HIBP), the leak includes 318GB of data related to records covering 2.4 million unique email addresses. Data exposed as a result of the leak includes the names and IP addresses in user records and support tickets.

Other information includes photos of credit cards and, more surprisingly, nude selfies (almost all of women).

Highly personal data

The credit card images appear to be related to refund requests, while the nude images are more difficult to explain.

“There are ‘loads’ of images that are photos of credit cards, with most (but not all) then partially obfuscated,” Troy Hunt, the founder of HIBP said on Twitter/X. “Are people submitting evidence of the payment method they used? Perhaps.”

He went on to speculate about the origin of the nude pictures: “Were they obtained from compromised devices without the knowledge or consent of the owner? They certainly don’t look like anything that would be loaded into a ticketing system.”

CSOonline approached mSpy for comment on the breach and to ask what advice it had for its customers, but we’re yet to hear back from the firm.

According to a Zendesk spokesperson, the company wasn’t compromised and any breach of mSpy has nothing to do with Zendesk. “We are committed to upholding our User Content and Conduct Policy and investigate allegations of violations appropriately and in accordance with our established procedures. Additionally, we have no evidence that Zendesk experienced a compromise of its platform,” a Zendesk spokesperson said.

‘Stalkerware’

mSpy – which the leaks reveal is owned by Brainstack, a Ukrainian IT company – is mobile and computer monitoring software designed for parental control and employee monitoring. The technology, first released in 2010, is available on iOS, Android, Windows, and macOS.

Capabilities include tracking GPS location, viewing web history, images, videos, emails, SMS, Skype, WhatsApp, and keystrokes.

The software has been criticized for its potential misuse in stalking and domestic violence cases. Leaked support tickets show many queries involve individuals looking to monitor their partners or ex-partners surreptitiously.

By contrast, mSpy’s marketing messages place heavy emphasis on how parents can use the software to keep tabs on their kids.

Overreach

The technology might be applied to facilitate an employer’s tracking of a mobile employee, in which case full knowledge and consent would be required in most Western jurisdictions.

In the grey area of employers monitoring their staff for productivity reasons, consent and transparency would be key, according to independent security experts.

Rob O’Connor, technology lead and CISO at Insight, said many organizations would have reservations about trusting mSpy as a data processor in GDPR terms, preferring more transparent vendors offering less invasive technologies.

“The feature list of mSpy, which beyond location tracking includes social media monitoring, text message access, and visibility into web browsing history, indicates that its aims go beyond that of just safety,” said O’Connor. “Organisations with a legitimate need for this sort of tool should ensure they select a vendor with just the limited functionality to do the job, and no more.”

The latest breach of mSpy’s Zendesk-powered customer support system follows earlier security lapses by the same company in 2018 and 2015. The 2018 breach involved the exposure of call logs, text messages, and location data from phones running the software.

More data breach news:

• Hackers steal data of 200k Lulu customers in an alleged breach
• Japan aerospace agency provides details of October data breach
• Evolve data breach impacted upward of 7.64 million consumers