Breach of Spyware Company mSpy Exposes iCloud Account Information for Millions
Apple users should consider changing their iCloud passwords after a recent breach reportedly exposed the account information of millions of people. The breach involved a company called mSpy, a spyware-as-a-service business. mSpy sells mobile and computer software that allows users to spy on their friends or family members. The software is also marketed to allow parents to see what their children are doing on their devices. However, this type of software is technically illegal and mSpy has a shady reputation.
At the end of August, security researchers Brian Krebs and Nitish Shah discovered that mSpy had posted a database containing millions of iCloud usernames and authentication tokens. Shah discovered the database first and tried to notify mSpy of the issue but was blocked by the company for requesting an audience with their chief technology officer. Krebs later got in touch with mSpy’s CTO and the database was taken down.
The database didn’t just include iCloud details. In addition to exposing iCloud users around the world, the breach may have also exposed existing mSpy customers. The database included logins, transactions, encryption keys, and other information or assets associated with mSpy licenses or accounts. Even worse, the breach exposed the data of people whose devices were being monitored by mSpy software. Indeed, part of the database was made up of Facebook or WhatsApp messages from compromised phones.
The mSpy CTO, who responded to Krebs’ communications only under the pseudonym “Andrew,” says that mSpy’s records only showed that a few people had accessed the database. Two of those points of access, of course, were Shah and Krebs. However, there is no way to be sure how many people saw or downloaded the database, or whether the information could have fallen into the wrong hands. To be safe, iCloud users may want to change their account login information immediately.
As for people who have used mSpy to spy on others, there’s not much to be done at this point to protect anonymity. “Andrew” said that customer accounts were encrypted and therefore not fully identifiable in the database. However, there is no doubt that the breach calls the reputability and security of mSpy even further into question. In addition to the inherently questionable nature of the products that mSpy sells, the company has also suffered cyber breaches in the past. In May 2015, a breach of the service resulted in customer data being posted on the dark web. Past, present, or future users of the software should be aware of these breaches and the risks they pose.