Company That Lets Parents Spy On Their Kids' Computer Usage... Has Database Hacked And Leaked

from the after-denying-it-all dept

There are lots of apps out there for parents spying on their kids computer/smartphone activities -- with the marketing pitch often being about how this will help "keep them safe" or some other such thing. mSpy is one of those companies, advertising right on the front page about how its snooping software can "keep children safe and employees efficient." It leaves out the bit about making both distrustful, but that's another debate for another day. Brian Krebs recently revealed that a "huge trove of data" had been leaked from mSpy and was being shared around the darkweb. And it exposed not just customer names but "countless emails, text messages, payment and location data" of those children and employees that the company was supposedly making "safe" and "efficient."

mSpy's response? Well, first it was to deny the breach entirely, saying that it was a bogus "predatory" attack:
“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”
And, of course, a day or two later, mSpy actually admitted the truth... which was that of course it had been hacked and had the data leaked.
"Much to our regret, we must inform you that data leakage has actually taken place," spokeswoman Amelie Ross told BBC News.

"However, the scope and format of the aforesaid information is way too exaggerated."

She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.

"Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption," she added.
We'll see. If history is any guide, the hack may be even worse. In almost every story of a big hack into corporate computer systems, the initial estimate on the number of accounts impacted is too low, and adjusted upward at a later date.

Either way, it appears that in the process of trying to make children "safe" -- the company may have ended up doing the exact opposite.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: brian krebs, children, employees, hacked, leaked, parents, revealed, safety, spyware
Companies: mspy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Pixelation, 28 May 2015 @ 8:23am

    Reminds me...

    of Spy vs Spy.

    link to this | view in thread ]

  2. identicon
    Just Another Anonymous Troll, 28 May 2015 @ 8:28am

    Ok, seriously, what the hell?

    and continue to work on mechanism of data encryption," she added.
    So you have this entire database full of personally identifiable data including payment details JUST LYING AROUND IN PLAINTEXT?!?! Someone in IT is about to/better be fired.

    link to this | view in thread ]

  3. icon
    DannyB (profile), 28 May 2015 @ 8:46am

    Estimated commercial achievements?

    “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”
    What exactly are estimated commercial achievements?

    Wishful thinking? Dreams of riches? Cooked books?

    Please explain.

    link to this | view in thread ]

  4. icon
    DannyB (profile), 28 May 2015 @ 9:00am

    Making children safe

    In the linked BBC article, I got a laugh from the picture of the boy with the phone, his look of shock and eyes about to pop out of his head.

    Boys are naturally curious about sex. But parents who would use a stalking app such as mSpy should patiently sit down with their son and explain to him how women's private parts are lined with razor sharp teeth capable of biting off a child's hand.

    link to this | view in thread ]

  5. icon
    OldMugwump (profile), 28 May 2015 @ 9:00am

    Who could possibly have seen this coming?

    Really, what did they expect was going to happen?

    They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place. Not even encrypted.

    Did they really think nobody was going to be interested in making fools of them?

    To be fair, a lot of blame also has to be laid at the feet of the parents. If you need to spy on your kids computer, something is deeply wrong with your relationship with your kids.

    link to this | view in thread ]

  6. icon
    OldMugwump (profile), 28 May 2015 @ 9:05am

    Re: Who could possibly have seen this coming?

    Hm.

    Re-reading my comment, I see that I could have, with equal justice, replaced "parents" with "government" and "kids" with "citizens".

    link to this | view in thread ]

  7. icon
    DannyB (profile), 28 May 2015 @ 9:11am

    Re: Ok, seriously, what the hell?

    They were waiting to implement government approved golden key encryption. That way their data would really be safe.

    link to this | view in thread ]

  8. identicon
    Lord Binky, 28 May 2015 @ 9:16am

    Uncommonly honest

    Much to our regret, we must inform you


    Well that pretty much says everything about their stance right there. They're more upset they HAD to tell people about the data breach than they are about the data breach....

    link to this | view in thread ]

  9. icon
    John Fenderson (profile), 28 May 2015 @ 9:22am

    Re: Estimated commercial achievements?

    I think I can explain what they mean: $$$

    link to this | view in thread ]

  10. icon
    John Fenderson (profile), 28 May 2015 @ 9:26am

    Re: Who could possibly have seen this coming?

    "They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place."

    This.

    Also, although it's not related to this specific case, people forget about the stupid third party doctrine when they use this stuff. The third party doctrine means that any information a company is holding about you is not private. Storing sensitive information in third party services is asking for trouble.

    link to this | view in thread ]

  11. icon
    ananke (profile), 28 May 2015 @ 9:28am

    “There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

    Phrasing sounds familiar from somewhere

    "I triple guarantee you, there are no American soldiers in Baghdad." - Muhammed Saeed al-Sahaf

    link to this | view in thread ]

  12. icon
    Uriel-238 (profile), 28 May 2015 @ 10:27am

    If he triple-dog guaranteed...

    ...then we'd know he was being serious and earnest.

    link to this | view in thread ]

  13. icon
    Uriel-238 (profile), 28 May 2015 @ 10:29am

    Interest in making fools of them...

    ...is, I suspect less than the interest someone might have of the personal data of thousands of sweet, tasty children.

    link to this | view in thread ]

  14. icon
    DannyB (profile), 28 May 2015 @ 10:45am

    Re: Uncommonly honest

    At least mSpy described them a situation:
    "Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption," she added.
    But then they said information had been WAY TOO exaggerated.
    "However, the scope and format of the aforesaid information is way too exaggerated."
    I'm sure the people at mSpy would have preferred a normal amount of exaggeration.

    Their marketing communications is as competent as their IT department's lack of encryption in the database.

    link to this | view in thread ]

  15. identicon
    PRMan, 28 May 2015 @ 11:35am

    Re: Ok, seriously, what the hell?

    IT?!?

    At EVERY company I have worked at there has been at least one database that stores plaintext passwords.

    At EVERY company I have worked at, I have proposed encrypting users' personal details, especially the passwords but also credit card information, addresses, e-mails, SSNs, etc.

    At EVERY company I have worked at, these requests sat on a queue and were never prioritized to the top.

    At one company, I finally convinced the powers that be that IT should get 10% of the sprint time to work on whatever tasks they wanted. This is the only company where we correctly encrypted all the users' data.

    Nobody in IT should be fired. Whoever prioritizes requests should be fired. I guarantee you that at most companies, at least 1 IT person has been nagging them about it and they just ignore the problem.

    link to this | view in thread ]

  16. identicon
    Rich Kulawiec, 28 May 2015 @ 11:54am

    Re: Who could possibly have seen this coming?

    I did. ;) Right here, a few years ago:

    How New Internet Spying Laws Will Actually ENABLE Stalkers, Spammers, Phishers And, Yes, Pedophiles & Terrorists

    Granted, I was writing about governments, not corporations, but the exact same principles hold.

    The problem with accumulating surveillance (or other) data on anyone/anything is that while you might think you're building a useful resource for protection, you are also, invariably, building a very attractive target. I've started calling this the "meta-spy" problem, because it's actually a very efficient and cheap approach for those looking to acquire data: (1) sit on your hands (2) wait for someone else to spend all the money and expend all the effort to perform data acquisition, storage, processing, etc. (3) when the time is right, copy it from them (4) use it (5) watch as they take the blame for what you're doing.

    In this particular case, the possible consequences are horrific -- because so much of the data is apparently about children. Thus even if we presume that parents had the finest of intentions, and even if we agree with the method they chose, the end result is that they've put their children in much more danger than if they'd done nothing.

    Exercise for the reader: how much tax-free income, conveniently stashed in a plain manila envelope, would one need to hand over to a well-placed system/network admin in order to receive a 4T external drive full of compressed data? After all, hacks/intrusions aren't the only way to pull this off: sometimes the Old Ways are best.

    link to this | view in thread ]

  17. icon
    sigalrm (profile), 28 May 2015 @ 12:30pm

    Re: Re: Ok, seriously, what the hell?

    Or they used the golden key encryption, and someone bad got a hold of the key.

    The end result would be identical.

    link to this | view in thread ]

  18. identicon
    Al Gore, 28 May 2015 @ 12:47pm

    Re: If he triple-dog guaranteed...

    I'm super serial about this

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 28 May 2015 @ 1:02pm

    And the endresult will be: *Drumroll*

    Nothing!
    Parents and others will just go around and blame the hackers. They surely deserve some of the scorn, but they are not the main problem.
    Some of them will think, that they will never use 'That' company again and will just find another way to do the exact same. There won't be a big debate about how maybe they could just communicate with and trust in their children so as to not put up a stalkers treasure trove of information up on the internet about them.
    Yes, I am cynical, but these people have already proven that they think that they need to protect without regard for the protected, by throwing money at the "problem", so as I see it, they deserve no great faith from me.

    link to this | view in thread ]

  20. identicon
    Zonker, 28 May 2015 @ 4:56pm

    "Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption," she added.
    Just be sure to leave a golden key for the government to access through the front/back/side door, you know... for the children! With the government watching, you can finally rest easy at night knowing your children are safe and secure.

    /sarcasm

    link to this | view in thread ]

  21. icon
    beltorak (profile), 28 May 2015 @ 6:13pm

    Re: Re: Ok, seriously, what the hell?

    Technically, the CIO is in IT, yes? I fully suggest they be first on the chopping block.

    link to this | view in thread ]

  22. icon
    beltorak (profile), 28 May 2015 @ 6:17pm

    Re: If he triple-dog guaranteed...

    noob mistake right there. he should have jumped straight to the triple dog dare.

    link to this | view in thread ]

  23. icon
    tqk (profile), 28 May 2015 @ 6:55pm

    Re: Estimated commercial achievements?

    They're Russians. I suspect they meant "estimal" (aka esteemed) achievements.

    Brian Krebs is well worth watching. He really gets it.

    link to this | view in thread ]

  24. icon
    tqk (profile), 28 May 2015 @ 7:00pm

    Re: Re: Who could possibly have seen this coming?

    You could also have gone with employers and their employees. It wasn't just nosy parents who bought into this.

    link to this | view in thread ]

  25. identicon
    EmmaL Evans, 28 May 2015 @ 10:57pm

    I monitor my kids using iKeyMonitorand I don't care who calls me nosy or invasive. There are lots of Internet horror stories on the TV and online. They are usually the products of kids not realizing the danger of the virtual world. They made arrangements to meet in real life, posted inappropriate pictures on the internet, etc. They don't even trust their parents even if they get any troubles, instead, they will ask their online buddies for help, who may make use of your innocent children.

    link to this | view in thread ]

  26. identicon
    Rekrul, 29 May 2015 @ 2:08am

    I can understand why parents would want to install spy software on their children's computer/devices, but why would they choose one that sends that information back to the parent company?

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 29 May 2015 @ 4:01am

    Re:

    I thought it means, "there is no way we would have 400,000 customers who must be stupid to be our customers"

    link to this | view in thread ]

  28. icon
    That One Guy (profile), 29 May 2015 @ 5:12am

    Re:

    Because if you're going to ignore the whole 'parenting' thing by handing the responsibility of teaching your kids responsible internet browsing to some third party, why go half-way? /s

    link to this | view in thread ]

  29. icon
    OldMugwump (profile), 29 May 2015 @ 7:35am

    Re: Re: Re: Who could possibly have seen this coming?

    Yes.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.