The mSpy data breach is the kind of breach that I cover over on databreaches.net, but the privacy implications of this one are so severe that I thought I should note it here.
If you’re using spyware to spy on your children or a partner – regardless of whether you call it spying or “monitoring” or any other euphemism – note that you – and they can be exposed in a breach by companies that do not take adequate security protections.
Brian Krebs has been all over this breach. Today, he writes:
The mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.
The log file of the screen shots taken from mSpy-infested devices doesn’t store the actual screenshot, but instead includes incomplete links to the images. Incredibly, nearly two weeks after this breach became public, all of the leaked screen shots remain viewable over the Internet with nothing more than a Web browser if one knows the base URL that precedes the file name. And that base URL is trivial to work out if you have an active mSpy account.
Read more on KrebsOnSecurity.com.