Mobile surveillance software firm mSpy has suffered a breach that exposed sensitive information from millions of users.
Customer support tickets dating back around 10 years were hacked and leaked by as yet unidentified attackers. The leaked dataset from mSpy’s Zendesk-powered customer support system was made available to DDoSecrets, a nonprofit transparency collective, and subsequently verified as genuine by TechCrunch and independent security experts.
According to breach notification service Have I Been Pwned (HIBP), the leak includes 318GB of data related to records covering 2.4 million unique email addresses. Data exposed as a result of the leak includes the names and IP addresses in user records and support tickets.
Other information includes photos of credit cards and, more surprisingly, nude selfies (almost all of women).
Highly personal data
The credit card images appear to be related to refund requests, while the nude images are more difficult to explain.
“There are ‘loads’ of images that are photos of credit cards, with most (but not all) then partially obfuscated,” Troy Hunt, the founder of HIBP said on Twitter/X. “Are people submitting evidence of the payment method they used? Perhaps.”
He went on to speculate about the origin of the nude pictures: “Were they obtained from compromised devices without the knowledge or consent of the owner? They certainly don’t look like anything that would be loaded into a ticketing system.”
CSOonline approached mSpy for comment on the breach and to ask what advice it had for its customers, but we’re yet to hear back from the firm. We also asked Zendesk to comment on whether or not mSpy’s use of its technology fell within its terms of service, so far without success.
‘Stalkerware’
mSpy – which the leaks reveal is owned by owned by Brainstack, a Ukrainian IT company – is mobile and computer monitoring software designed for parental control and employee monitoring. The technology, first released in 2010, is available on iOS, Android, Windows and macOS.
Capabilities include tracking GPS location, and viewing web history, images, videos, emails, SMS, Skype, WhatsApp, and keystrokes.
The software has been criticized for its potential misuse in stalking and domestic violence cases. Leaked support tickets show many queries involve individuals looking to monitor their partners or ex-partners surreptitiously.
By contrast, mSpy’s marketing messages place heavy emphasis on how parents can use the software to keep tabs on their kids.
Overreach
The technology might be applied to facilitate an employer’s tracking of a mobile employee, in which case full knowledge and consent would be required in most Western jurisdictions.
In the grey area of employers monitoring their staff for productivity reasons, consent and transparency would be key, according to independent security experts.
Rob O’Connor, technology lead and CISO at Insight, said many organisations would have reservations about trusting mSpy as a data processor in GDPR terms, preferring more transparent vendors offering less invasive technologies.
“The feature list of mSpy, which beyond location tracking includes social media monitoring, text message access, and visibility into web browsing history, indicates that its aims go beyond that of just safety,” said O’Connor. “Organisations with a legitimate need for this sort of tool should ensure they select a vendor with just the limited functionality to do the job, and no more.”
The latest breach of mSpy’s Zendesk-powered customer support system follows earlier security lapses by the same company in 2018 and 2015. The 2018 breach involved the exposure of call logs, text messages, and location data from phones running the software.
More data breach news: