Spyware Firm Hacked: 400,000 Victims’ Data Stuck on Dark Web

MSpy, a maker of notorious mobile spyware, has reportedly been breached and the personal details of over 400,000 of its victims posted to the dark web.

Security researcher Brian Krebs claimed in a blog post that he was sent an anonymous link to a website reachable only via Tor – which is hosting several hundred gigabytes of data apparently lifted from mobiles on which mSpy products had been installed.

Said data includes Apple IDs and passwords, tracking data and payment information relating to 145,000 transactions, he added.

“The exact number of mSpy users compromised could not be confirmed, but one thing is clear: There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations,” Krebs explained.

“Also included in the data dump are thousands of support request emails from people around the world who paid between $8.33 to as much as $799 for a variety of subscriptions to mSpy’s surveillance software.”

It’s unclear where mSpy is based, with addresses listed in the US, UK and Germany, although Companies House records indicate the founders as Russian Aleksey Fedorchuk and UK citizen Pavel Daletski.

Security service provider Centient, which trawls the Dark Web to help customers protect their brand and reputation, warned users about the dangers of spyware like mSpy.

“These types of software can easily be turned to dangerous malware if they are not properly secured,” intelligence investigator, Maryn Deane, told Infosecurity in a brief note. “They are designed to collect vital information which could have severe implications in the wrong hands.” 

Rapid7 global security strategist, Trey Ford, claimed that the victims of this data dump will likely be unaware that their personal information is now on the dark web.

“This underscores how sensitive information may not necessarily be protected by regulations and auditors. Corporate executives are effectively information owners, responsible for the data collected, how it is stored and protected, and what to do when something happens,” he added.

“Because data does not have a fixed value, there will never be clean alignment between how a user values their information (including information about them), the company and their executives value that data, and how a criminal values that data.”

What’s Hot on Infosecurity Magazine?