Mspy Admits Blackmail Attack, Denies Data Breach

Child monitoring firm Mspy has denied reports that its systems have been breached and personal data exposed, but admitted that it was subject to a “predatory attack” by blackmailers.

The denial came after security expert Brian Krebs reported a wide-scale data breach at the firm. He said that he had been contacted by an anonymous source who pointed him to a Tor-based site that hosted several hundred gigabytes of data.

Blackmail Attack

“mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked,” wrote Krebs. “Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.”

But Mspy has denied the data data breach and said such claims were false. It told the BBC News it had been the victim of a “predatory attack” by blackmailers, but said it had not given in to demands for money.

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told BBC News. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.

“We have received frequent threats of similar nature, pursuing financial gain ‘or else’ and have just received a number of those in recent weeks,” said the firm. “We never have or ever will fall for provocations of third parties, and our only response for such ‘ventures’ will be further securitisation of any corporate and customer related data.”

“We pay close attention to each and every ‘hacking’ threat, making sure it doesn’t have reasonable grounds for considering our security measures compromised,” said the spokeswoman. “And surely none of such threats deserve being indulged in their demands for ‘easy money’, as the most recent case has served an example of.”

It is hard to verify the claims by Brian Krebs, as the data has since been removed from Tor.

In other media reports, mSpy representatives have hinted that the story may have been fabricated by a competitor looking to discredit the company. And apparently the Krebs’ report is being investigated by its lawyers and other “authorised” parties.

Tracking Controversy

Mspy is essentially a tracking app for Android, iOS, Windows and Mac computers. It is aimed at allowing parents to remotely track their children via their smartphone or tablet. The tracking is legal if done by parents, but some are worried that the app could be used by adults to spy on their partners without their consent.

Indeed, the company blatantly touts its stealthy capabilities on its website FAQs.

“Is this phone tracking software undetectable?” asked MiSpy’s FAQ. “This software is absolutely discreet and works by tracking all the activity in the background of the monitored mobile devices in stealth mode.”

The Mspy app also apparently collects call log history, GPS location data, web history, emails, text messages, images, video, Skype and WhatsApp messages, as well as keystrokes and desktop screenshots. This means that the data it collects could be very sensitive indeed.

Earlier this month, a California sales executive filed a lawsuit against her former employer, alleging she was forced to use software on her company-issued iPhone that her supervisor used to track her and her colleagues around the clock, both on- and off-duty.

Do you know all about IT and the law? Take our quiz.