Company That Lets Parents Spy On Their Kids' Computer Usage... Has Database Hacked And Leaked
from the after-denying-it-all dept
There are lots of apps out there for parents spying on their kids computer/smartphone activities -- with the marketing pitch often being about how this will help "keep them safe" or some other such thing. mSpy is one of those companies, advertising right on the front page about how its snooping software can "keep children safe and employees efficient." It leaves out the bit about making both distrustful, but that's another debate for another day. Brian Krebs recently revealed that a "huge trove of data" had been leaked from mSpy and was being shared around the darkweb. And it exposed not just customer names but "countless emails, text messages, payment and location data" of those children and employees that the company was supposedly making "safe" and "efficient."mSpy's response? Well, first it was to deny the breach entirely, saying that it was a bogus "predatory" attack:
“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”And, of course, a day or two later, mSpy actually admitted the truth... which was that of course it had been hacked and had the data leaked.
"Much to our regret, we must inform you that data leakage has actually taken place," spokeswoman Amelie Ross told BBC News.We'll see. If history is any guide, the hack may be even worse. In almost every story of a big hack into corporate computer systems, the initial estimate on the number of accounts impacted is too low, and adjusted upward at a later date.
"However, the scope and format of the aforesaid information is way too exaggerated."
She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.
"Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption," she added.
Either way, it appears that in the process of trying to make children "safe" -- the company may have ended up doing the exact opposite.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: brian krebs, children, employees, hacked, leaked, parents, revealed, safety, spyware
Companies: mspy
Reader Comments
Subscribe: RSS
View by: Time | Thread
Reminds me...
[ link to this | view in chronology ]
Ok, seriously, what the hell?
So you have this entire database full of personally identifiable data including payment details JUST LYING AROUND IN PLAINTEXT?!?! Someone in IT is about to/better be fired.
[ link to this | view in chronology ]
Re: Ok, seriously, what the hell?
[ link to this | view in chronology ]
Re: Re: Ok, seriously, what the hell?
The end result would be identical.
[ link to this | view in chronology ]
Re: Ok, seriously, what the hell?
At EVERY company I have worked at there has been at least one database that stores plaintext passwords.
At EVERY company I have worked at, I have proposed encrypting users' personal details, especially the passwords but also credit card information, addresses, e-mails, SSNs, etc.
At EVERY company I have worked at, these requests sat on a queue and were never prioritized to the top.
At one company, I finally convinced the powers that be that IT should get 10% of the sprint time to work on whatever tasks they wanted. This is the only company where we correctly encrypted all the users' data.
Nobody in IT should be fired. Whoever prioritizes requests should be fired. I guarantee you that at most companies, at least 1 IT person has been nagging them about it and they just ignore the problem.
[ link to this | view in chronology ]
Re: Re: Ok, seriously, what the hell?
[ link to this | view in chronology ]
Estimated commercial achievements?
Wishful thinking? Dreams of riches? Cooked books?
Please explain.
[ link to this | view in chronology ]
Re: Estimated commercial achievements?
[ link to this | view in chronology ]
Re: Estimated commercial achievements?
Brian Krebs is well worth watching. He really gets it.
[ link to this | view in chronology ]
Making children safe
Boys are naturally curious about sex. But parents who would use a stalking app such as mSpy should patiently sit down with their son and explain to him how women's private parts are lined with razor sharp teeth capable of biting off a child's hand.
[ link to this | view in chronology ]
Who could possibly have seen this coming?
They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place. Not even encrypted.
Did they really think nobody was going to be interested in making fools of them?
To be fair, a lot of blame also has to be laid at the feet of the parents. If you need to spy on your kids computer, something is deeply wrong with your relationship with your kids.
[ link to this | view in chronology ]
Re: Who could possibly have seen this coming?
Re-reading my comment, I see that I could have, with equal justice, replaced "parents" with "government" and "kids" with "citizens".
[ link to this | view in chronology ]
Re: Re: Who could possibly have seen this coming?
[ link to this | view in chronology ]
Re: Re: Re: Who could possibly have seen this coming?
[ link to this | view in chronology ]
Re: Who could possibly have seen this coming?
This.
Also, although it's not related to this specific case, people forget about the stupid third party doctrine when they use this stuff. The third party doctrine means that any information a company is holding about you is not private. Storing sensitive information in third party services is asking for trouble.
[ link to this | view in chronology ]
Interest in making fools of them...
[ link to this | view in chronology ]
Re: Who could possibly have seen this coming?
How New Internet Spying Laws Will Actually ENABLE Stalkers, Spammers, Phishers And, Yes, Pedophiles & Terrorists
Granted, I was writing about governments, not corporations, but the exact same principles hold.
The problem with accumulating surveillance (or other) data on anyone/anything is that while you might think you're building a useful resource for protection, you are also, invariably, building a very attractive target. I've started calling this the "meta-spy" problem, because it's actually a very efficient and cheap approach for those looking to acquire data: (1) sit on your hands (2) wait for someone else to spend all the money and expend all the effort to perform data acquisition, storage, processing, etc. (3) when the time is right, copy it from them (4) use it (5) watch as they take the blame for what you're doing.
In this particular case, the possible consequences are horrific -- because so much of the data is apparently about children. Thus even if we presume that parents had the finest of intentions, and even if we agree with the method they chose, the end result is that they've put their children in much more danger than if they'd done nothing.
Exercise for the reader: how much tax-free income, conveniently stashed in a plain manila envelope, would one need to hand over to a well-placed system/network admin in order to receive a 4T external drive full of compressed data? After all, hacks/intrusions aren't the only way to pull this off: sometimes the Old Ways are best.
[ link to this | view in chronology ]
Uncommonly honest
Well that pretty much says everything about their stance right there. They're more upset they HAD to tell people about the data breach than they are about the data breach....
[ link to this | view in chronology ]
Re: Uncommonly honest
Their marketing communications is as competent as their IT department's lack of encryption in the database.
[ link to this | view in chronology ]
Phrasing sounds familiar from somewhere
"I triple guarantee you, there are no American soldiers in Baghdad." - Muhammed Saeed al-Sahaf
[ link to this | view in chronology ]
If he triple-dog guaranteed...
[ link to this | view in chronology ]
Re: If he triple-dog guaranteed...
[ link to this | view in chronology ]
Re: If he triple-dog guaranteed...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
And the endresult will be: *Drumroll*
Parents and others will just go around and blame the hackers. They surely deserve some of the scorn, but they are not the main problem.
Some of them will think, that they will never use 'That' company again and will just find another way to do the exact same. There won't be a big debate about how maybe they could just communicate with and trust in their children so as to not put up a stalkers treasure trove of information up on the internet about them.
Yes, I am cynical, but these people have already proven that they think that they need to protect without regard for the protected, by throwing money at the "problem", so as I see it, they deserve no great faith from me.
[ link to this | view in chronology ]
/sarcasm
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]