Spyware maker mSpy exposes iCloud info as part of massive data breach

By Roger Fingas

The private data of millions of people -- including iCloud usernames and authentication tokens -- was recently exposed on an mSpy Web database which, until it was taken down, didn't require authentication.

The database only went offline earlier this week, according to writer Brian Krebs, who was alerted to the problem by security researcher Nitish Shah. In addition to iCloud information, the database also included mSpy logs and logins, private encryption keys, and transactions for mSpy licenses, the last for a period of six months.

mSpy is intended to let people spy on the devices of family members, keeping track of activity in apps. Such spyware is illegal to sell in the U.S., and indeed the company behind mSpy has a nebulous corporate residence.

Shah reportedly tried to warn mSpy about his findings, but found himself blocked by the company's live support team when he asked to get in contact with a CTO or head of security. Krebs got in touch with mSpy on Aug. 30, which finally yielded an email from "Andrew," the chief security officer.

"We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure," the person wrote. "All our customers' accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers' emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."

At least some that access belonged to Shah and Krebs.

The mSpy service last suffered a major breach in May 2015, which resulted in customer data being posted to the dark Web -- a portion of the internet which can't be accessed without special tools or settings, which is sometimes benign but also exploited by criminals.

Legitimate iCloud logins can be particularly lucrative, since successfully breaking into an account can potentially grant access to a wealth of other personal information and services, as well as downloads from places like the App Store.