Spyware maker mSpy exposes iCloud info as part of massive data breach

Posted:
in iCloud
The private data of millions of people -- including iCloud usernames and authentication tokens -- was recently exposed on an mSpy Web database which, until it was taken down, didn't require authentication.

mSpy 2018 breach


The database only went offline earlier this week, according to writer Brian Krebs, who was alerted to the problem by security researcher Nitish Shah. In addition to iCloud information, the database also included mSpy logs and logins, private encryption keys, and transactions for mSpy licenses, the last for a period of six months.

mSpy is intended to let people spy on the devices of family members, keeping track of activity in apps. Such spyware is illegal to sell in the U.S., and indeed the company behind mSpy has a nebulous corporate residence.

Shah reportedly tried to warn mSpy about his findings, but found himself blocked by the company's live support team when he asked to get in contact with a CTO or head of security. Krebs got in touch with mSpy on Aug. 30, which finally yielded an email from "Andrew," the chief security officer.

"We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure," the person wrote. "All our customers' accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers' emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."

At least some that access belonged to Shah and Krebs.

The mSpy service last suffered a major breach in May 2015, which resulted in customer data being posted to the dark Web -- a portion of the internet which can't be accessed without special tools or settings, which is sometimes benign but also exploited by criminals.

Legitimate iCloud logins can be particularly lucrative, since successfully breaking into an account can potentially grant access to a wealth of other personal information and services, as well as downloads from places like the App Store.
«13

Comments

  • Reply 1 of 42
    This is why I do not store sensitive data in the cloud.
    dysamoriaGeorgeBMac
  • Reply 2 of 42
    davgreg said:
    This is why I do not store sensitive data in the cloud.

    Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

    This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.


    This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
    racerhomie3StrangeDaysmagman1979dysamoriachiabonobobsuperklotonlkruppviclauyycjbdragon
  • Reply 3 of 42
    davgreg said:
    This is why I do not store sensitive data in the cloud.
    This is why i try to inform myself about quality and seriousness of the service provider before I submit my data. Until now I’m having no issues with Apple’s iCloud and i use them without reluctance. Apart from this the only other service I chose to trust is iPin which i would drop in a heartbeat if Apple would have an iOS counterpart of keychain access where I could e.g. also store pictures of cards and retrieve them at will. Oh yes, and sleep Cycle has access to selected health data. 

    watto_cobrabaconstang
  • Reply 4 of 42
    The article is weird. The breach is basically saying: "a notebook with someone's passwords was found and one of those passwords was their iCloud password. Others were their google and facebook passwords". I feel badly for them but it's got nothing to do with iCloud security. Even weirder, the breach is of a service that has a narrow audience - it's not even an available service if it's true that "Such spyware is illegal to sell in the U.S.". It's not like it was some app that was available in the App Store.
    dewmedysamoriaSpamSandwichlolliverbaconstang
  • Reply 5 of 42
    maestro64maestro64 Posts: 4,236member
    davgreg said:
    This is why I do not store sensitive data in the cloud.

    Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

    This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.


    This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
    I agree 100% about not allow 3rd parts access to my systems. 

    The simple solution to knowing what your kids are doing is just ask them most time they will just tell you. If you think they are not sharing all the information have them turn over their devices to you, you own it and pay for the service. You need to instill upon your kids as long as you're paying their bills you have a say so over what they can and can not do. I did this with my kids and today they both very independent people who make their own money since they do not want someone else telling them what they can do. They are both well educated on all the bad things that could happen if they are not careful, we made everything a learning situation.
    watto_cobra
  • Reply 6 of 42
    Don’t worry 70% iCloud accounts have 2FA enabled.
  • Reply 7 of 42
    dewmedewme Posts: 1,617member
    The article is weird. The breach is basically saying: "a notebook with someone's passwords was found and one of those passwords was their iCloud password. Others were their google and facebook passwords". I feel badly for them but it's got nothing to do with iCloud security. Even weirder, the breach is of a service that has a narrow audience - it's not even an available service if it's true that "Such spyware is illegal to sell in the U.S.". It's not like it was some app that was available in the App Store.
    Exactly. The fact that some of the data that this firm failed to secure happened to be iCloud related unfairly casts a negative net over Apple. Simply having "iCloud" and "data breach" in the same sentence is feeding into the fear and uncertainty that some people have about all cloud platforms. The fact is that EVERY BIT of information that customers trusted this firm with was compromised, whether it was related to iCloud, GMail, secret Swiss bank account passwords, private financial data, or whatever.

    It's all comes down to: Who do you trust with your privacy and personal information? Whether it's the guy who installed your home security system, your bank, your mortgage lender, your financial advisor, the veterans association (VA), your doctors office, a credit service bureau, or a cloud service provider, the only thing that matters is whether they are worthy of your Trust and safeguarding everything associated with your trust relationship.

    I truly hope that Apple never fails to uphold their side of the trust relationship with iCloud customers. So far, so good. I believe Apple has the technical chops, knowledge, and commitment to hold up their end of the bargain. But some of the other examples I gave, like the VA, mortgage lenders, and credit service bureaus have failed miserably to live up to their trust relationship with me personally, usually due to their incompetence, ineptitude, and utter cluelessness. Some of these organizations had, and still have, absolutely no understanding of how screwed they really are. I suspect other folks have had similar experiences with some of the examples given, and many others. 
    dysamorialolliverwatto_cobra
  • Reply 8 of 42
    davgreg said:
    This is why I do not store sensitive data in the cloud.

    Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

    This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.


    This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
    Well, yeh, it does have to deal with the cloud.
    ... If you have nothing there, there's nothing to steal.  Physical security -- such as keeping the data on one physical device that nobody has access to is one of many types of security. 

    Storing stuff in cloud provides a number of benefits -- but it also makes it more likely to be stolen.
  • Reply 9 of 42
    dysamoriadysamoria Posts: 1,776member
    This one sentence paragraph makes no sense:

    "At least some that access belonged to Shah and Krebs."
    lolliver
  • Reply 10 of 42
    And this will be the type of story we will see weekly if the U.K. and U.S. and a few other Govt's in the supposedly 'free' Western world get the back doors they want into everyones devices and lives.
    watto_cobralostkiwichasmbaconstang
  • Reply 11 of 42
    maestro64 said:
    davgreg said:
    This is why I do not store sensitive data in the cloud.

    Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

    This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.


    This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
    I agree 100% about not allow 3rd parts access to my systems. 

    The simple solution to knowing what your kids are doing is just ask them most time they will just tell you. If you think they are not sharing all the information have them turn over their devices to you, you own it and pay for the service. You need to instill upon your kids as long as you're paying their bills you have a say so over what they can and can not do. I did this with my kids and today they both very independent people who make their own money since they do not want someone else telling them what they can do. They are both well educated on all the bad things that could happen if they are not careful, we made everything a learning situation.
    Yes, life is simple.  Very black and white.   Good vs bad.   Very simple.  /s
  • Reply 12 of 42
    Don’t worry 70% iCloud accounts have 2FA enabled.
    Something I do immediately with any company I register with who grants Two-Factor authentication.
    watto_cobra
  • Reply 13 of 42
    davgreg said:
    This is why I do not store sensitive data in the cloud.

    Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

    This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.


    This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
    Well, yeh, it does have to deal with the cloud.
    ... If you have nothing there, there's nothing to steal.  Physical security -- such as keeping the data on one physical device that nobody has access to is one of many types of security. 

    Storing stuff in cloud provides a number of benefits -- but it also makes it more likely to be stolen.
    I'm not sure if I'm understanding the situation correctly, but the impression I have is that the only iCloud information exposed by this breach is that belonging to people who subscribe to the mSpy service. Is that correct? If so, the danger is not in storing information in the cloud -- the problem was having an mSpy account, because if you don't have an mSpy account, your information wasn't exposed.
    ericthehalfbeeSpamSandwichviclauyyclolliverwatto_cobralostkiwi
  • Reply 14 of 42

    wonkothesane said:
    ...the only other service I chose to trust is iPin which i would drop in a heartbeat if Apple would have an iOS counterpart of keychain access where I could e.g. also store pictures of cards and retrieve them at will.
    I'm not at all sure what you mean when needing an iOS way of safely storing pictures of cards… Do you mean Pictures of Credit/Debit cards? If so, you can already use a few iOS>MacOS iCloud apps with account authentication beyond 2FA.
    watto_cobra
  • Reply 15 of 42
    davgreg said:
    This is why I do not store sensitive data in the cloud.

    Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

    This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.


    This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
    Well, yeh, it does have to deal with the cloud.
    ... If you have nothing there, there's nothing to steal.  Physical security -- such as keeping the data on one physical device that nobody has access to is one of many types of security. 

    Storing stuff in cloud provides a number of benefits -- but it also makes it more likely to be stolen.

    Wrong. iCloud has never been hacked. People have had all sorts of information stolen from malware on their devices or even misbehaving Apps not respecting privacy.

    The only way data on a physical device could be more secure is if that device is never connected to anything. Which is simply not possible these days.
    lolliverwatto_cobra
  • Reply 16 of 42
    maestro64 said:
    davgreg said:
    This is why I do not store sensitive data in the cloud.

    Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

    This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.


    This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
    I agree 100% about not allow 3rd parts access to my systems. 

    The simple solution to knowing what your kids are doing is just ask them most time they will just tell you. If you think they are not sharing all the information have them turn over their devices to you, you own it and pay for the service. You need to instill upon your kids as long as you're paying their bills you have a say so over what they can and can not do. I did this with my kids and today they both very independent people who make their own money since they do not want someone else telling them what they can do. They are both well educated on all the bad things that could happen if they are not careful, we made everything a learning situation.
    Yes, life is simple.  Very black and white.   Good vs bad.   Very simple.  /s
    Sounds like good parenting to me. At least the foundation is there—which is far more than I can say for the lot of you who don’t even discipline your children by letting them know that there are consequences for bad behavior. You simply can’t expect tech to be a substitute for you. 
    watto_cobrabaconstang
  • Reply 17 of 42
    Don’t worry 70% iCloud accounts have 2FA enabled.
    But with companies like this effectively handing out access to your cellular account like candy that 2FA might be back down to 1FA: https://appleinsider.com/articles/18/08/27/sprint-staff-portal-poorly-secured-allowed-for-easy-sim-swapping-attack
    watto_cobraGeorgeBMac
  • Reply 18 of 42
    mac_dog said:
    maestro64 said:
    davgreg said:
    This is why I do not store sensitive data in the cloud.

    Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.

    This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.


    This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
    I agree 100% about not allow 3rd parts access to my systems. 

    The simple solution to knowing what your kids are doing is just ask them most time they will just tell you. If you think they are not sharing all the information have them turn over their devices to you, you own it and pay for the service. You need to instill upon your kids as long as you're paying their bills you have a say so over what they can and can not do. I did this with my kids and today they both very independent people who make their own money since they do not want someone else telling them what they can do. They are both well educated on all the bad things that could happen if they are not careful, we made everything a learning situation.
    Yes, life is simple.  Very black and white.   Good vs bad.   Very simple.  /s
    Sounds like good parenting to me. At least the foundation is there—which is far more than I can say for the lot of you who don’t even discipline your children by letting them know that there are consequences for bad behavior. You simply can’t expect tech to be a substitute for you. 

    Really? There's a "the lot of you who don’t even discipline your children"? I'm really curious how you were able to extrapolate that information from any posts made here.
    lolliverGeorgeBMac
  • Reply 19 of 42

    "Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers' emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."
    Translation: We actually didn't prevent a breach but that gaping hole that persisted for six months is finally closed. There were a few points of access and activity, but it amounted to all that data now available for sale on the dark web.
    watto_cobra
  • Reply 20 of 42
    davgreg said:
    This is why I do not store sensitive data in the cloud.
    This is why i try to inform myself about quality and seriousness of the service provider before I submit my data. Until now I’m having no issues with Apple’s iCloud and i use them without reluctance. Apart from this the only other service I chose to trust is iPin which i would drop in a heartbeat if Apple would have an iOS counterpart of keychain access where I could e.g. also store pictures of cards and retrieve them at will. Oh yes, and sleep Cycle has access to selected health data. 

    I use apple notes for storing any cards or data. If it is sensitive like a password or credit card number I don’t want my phone to remember I lock it with Touch ID for quick access. 
    watto_cobra
Sign In or Register to comment.