mSpy is an iPhone spyware company that makes software used by parents and others to snoop on iPhone usage, and it has suffered a data breach, leaking millions of customer records (via KrebsOnSecurity).
Disturbingly, this is apparently mSpy’s second breach in three years. Security researcher Nitish Shah pointed KrebsOnSecurity to an open database on the web. It let anyone query the database for mSpy records, both for customer transactions and iPhone data collected by the spyware.
Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said.
Anyone accessing the database could also see the contents of WhatsApp and Facebook messages. In order to set up the spyware, it requires iCloud credentials, but no authentication of any kind was needed to access the database.