Spyware maker mSpy exposes iCloud info as part of massive data breach

The private data of millions of people — including iCloud usernames and authentication tokens — was recently exposed on an mSpy Web database which, until it was taken down, didn't require authentication.

The database only went offline earlier this week, according to writer Brian Krebs, who was alerted to the problem by security researcher Nitish Shah. In addition to iCloud information, the database also included mSpy logs and logins, private encryption keys, and transactions for mSpy licenses, the last for a period of six months.

mSpy is intended to let people spy on the devices of family members, keeping track of activity in apps. Such spyware is illegal to sell in the U.S., and indeed the company behind mSpy has a nebulous corporate residence.

Shah reportedly tried to warn mSpy about his findings, but found himself blocked by the company's live support team when he asked to get in contact with a CTO or head of security. Krebs got in touch with mSpy on Aug. 30, which finally yielded an email from "Andrew," the chief security officer.

"We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure," the person wrote. "All our customers' accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers' emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."

At least some that access belonged to Shah and Krebs.

The mSpy service last suffered a major breach in May 2015, which resulted in customer data being posted to the dark Web — a portion of the internet which can't be accessed without special tools or settings, which is sometimes benign but also exploited by criminals.

Legitimate iCloud logins can be particularly lucrative, since successfully breaking into an account can potentially grant access to a wealth of other personal information and services, as well as downloads from places like the App Store.

Latest Exclusives

Latest comparisons

42 Comments

davgreg 1046 comments · 9 Years

About 6 years ago

This is why I do not store sensitive data in the cloud.

ericthehalfbee 4489 comments · 13 Years

davgreg said:

This is why I do not store sensitive data in the cloud.

Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.

wonkothesane 1737 comments · 12 Years

davgreg said:

This is why I do not store sensitive data in the cloud.

This is why i try to inform myself about quality and seriousness of the service provider before I submit my data. Until now I’m having no issues with Apple’s iCloud and i use them without reluctance. Apart from this the only other service I chose to trust is iPin which i would drop in a heartbeat if Apple would have an iOS counterpart of keychain access where I could e.g. also store pictures of cards and retrieve them at will. Oh yes, and sleep Cycle has access to selected health data.

rare comment 206 comments · 14 Years

The article is weird. The breach is basically saying: "a notebook with someone's passwords was found and one of those passwords was their iCloud password. Others were their google and facebook passwords". I feel badly for them but it's got nothing to do with iCloud security. Even weirder, the breach is of a service that has a narrow audience - it's not even an available service if it's true that "Such spyware is illegal to sell in the U.S.". It's not like it was some app that was available in the App Store.

maestro64 5029 comments · 19 Years

ericthehalfbee said:

davgreg said:

This is why I do not store sensitive data in the cloud.

Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.

I agree 100% about not allow 3rd parts access to my systems.

The simple solution to knowing what your kids are doing is just ask them most time they will just tell you. If you think they are not sharing all the information have them turn over their devices to you, you own it and pay for the service. You need to instill upon your kids as long as you're paying their bills you have a say so over what they can and can not do. I did this with my kids and today they both very independent people who make their own money since they do not want someone else telling them what they can do. They are both well educated on all the bad things that could happen if they are not careful, we made everything a learning situation.