mSpy: We haven't been breached. Customers: Oh yes you have
In fact, we're victim of a ‘predatory attack’, says snooper
However, its contention that the incident is just the latest in a series of extortion attempts is seemingly undermined by confirmation that some of the private information leaked is genuine.
mSpy's "mobile monitoring software" is marketed as a means for parents and employers to surreptitiously snoop on family members or employees.
So, it was bad news when mSpy's database appeared on the dark web, following an apparent hack on its systems around a fortnight ago.
Emails, text messages, payment details, Apple IDs, passwords, photos and location data for mSpy users, as well as the targets of their snooping, were all seemingly exposed.
In a statement responding to a request for comment from El Reg, mSpy dissed reports of a hack:
The case of an alleged "400k users' data leakage" has gained excessive attention and media coverage, therefore we feel obliged to offer some official elucidating comments on the issue.
As commonly known, mSpy is the leading monitoring & safety application in the market for responsible parents.
For the reasons of our usability-justified popularity and consumer's attachment to our brand, we believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.
Being the company trusted for years by numerous clients, we have never put the safety of our users' data at risk. However, we have received frequent threats of a similar nature, pursuing financial gain “or else”, and have just received a number of those in recent weeks.
We never have or ever will fall for provocations of 3rd parties and our only response for such "ventures" will be further securitization of any corporate- and customer-related data.
Neither have our customers ever expressed a doubt in security of their data, nor have we ever given them a reason to.
We pay close attention to each and every "hacking" threat, making sure it doesn’t have reasonable grounds for considering our security measures compromised.
And surely none of these such threats deserve being indulged in their demands for "easy money", of which the most recent case has served an example.
mSpy sent over the statement on Tuesday. It's yet to respond to requests for clarification. We wanted a straight answer to the question of whether or not it thinks it's been breached.
We also asked whether it was able to say whether or not the leaked data was genuine. After all, answering this question would be an obvious step in any incident response procedure and that would hold true even if other indicators suggested that no breach had taken place.
However, investigative reporter Brian Krebs, who broke the story about the apparent — but officially denied — breach has been able to contact apparent victims.
"I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy," Krebs reports. "I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy." ®