Spyware maker mSpy exposes iCloud info as part of massive data breach
The private data of millions of people -- including iCloud usernames and authentication tokens -- was recently exposed on an mSpy Web database which, until it was taken down, didn't require authentication.
The database only went offline earlier this week, according to writer Brian Krebs, who was alerted to the problem by security researcher Nitish Shah. In addition to iCloud information, the database also included mSpy logs and logins, private encryption keys, and transactions for mSpy licenses, the last for a period of six months.
mSpy is intended to let people spy on the devices of family members, keeping track of activity in apps. Such spyware is illegal to sell in the U.S., and indeed the company behind mSpy has a nebulous corporate residence.
Shah reportedly tried to warn mSpy about his findings, but found himself blocked by the company's live support team when he asked to get in contact with a CTO or head of security. Krebs got in touch with mSpy on Aug. 30, which finally yielded an email from "Andrew," the chief security officer.
"We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure," the person wrote. "All our customers' accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers' emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."
At least some that access belonged to Shah and Krebs.
The mSpy service last suffered a major breach in May 2015, which resulted in customer data being posted to the dark Web -- a portion of the internet which can't be accessed without special tools or settings, which is sometimes benign but also exploited by criminals.
Legitimate iCloud logins can be particularly lucrative, since successfully breaking into an account can potentially grant access to a wealth of other personal information and services, as well as downloads from places like the App Store.
The database only went offline earlier this week, according to writer Brian Krebs, who was alerted to the problem by security researcher Nitish Shah. In addition to iCloud information, the database also included mSpy logs and logins, private encryption keys, and transactions for mSpy licenses, the last for a period of six months.
mSpy is intended to let people spy on the devices of family members, keeping track of activity in apps. Such spyware is illegal to sell in the U.S., and indeed the company behind mSpy has a nebulous corporate residence.
Shah reportedly tried to warn mSpy about his findings, but found himself blocked by the company's live support team when he asked to get in contact with a CTO or head of security. Krebs got in touch with mSpy on Aug. 30, which finally yielded an email from "Andrew," the chief security officer.
"We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure," the person wrote. "All our customers' accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers' emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."
At least some that access belonged to Shah and Krebs.
The mSpy service last suffered a major breach in May 2015, which resulted in customer data being posted to the dark Web -- a portion of the internet which can't be accessed without special tools or settings, which is sometimes benign but also exploited by criminals.
Legitimate iCloud logins can be particularly lucrative, since successfully breaking into an account can potentially grant access to a wealth of other personal information and services, as well as downloads from places like the App Store.
Comments
Nothing to do with iCloud or cloud in general. It has to do with people giving a third party service access to your data.
This is why I have never installed monitoring software on my kids devices, despite my wife always sending me links for various types of Apps that are supposed to help keep track of their activity or set limits. They always require you to give them access far above what any reasonable App should require, even your iCloud login in some cases.
This is why I'm stoked about iOS 12 as I'll now have these types of abilities built-in. So I can monitor my kids AND stay secure.
The simple solution to knowing what your kids are doing is just ask them most time they will just tell you. If you think they are not sharing all the information have them turn over their devices to you, you own it and pay for the service. You need to instill upon your kids as long as you're paying their bills you have a say so over what they can and can not do. I did this with my kids and today they both very independent people who make their own money since they do not want someone else telling them what they can do. They are both well educated on all the bad things that could happen if they are not careful, we made everything a learning situation.
It's all comes down to: Who do you trust with your privacy and personal information? Whether it's the guy who installed your home security system, your bank, your mortgage lender, your financial advisor, the veterans association (VA), your doctors office, a credit service bureau, or a cloud service provider, the only thing that matters is whether they are worthy of your Trust and safeguarding everything associated with your trust relationship.
I truly hope that Apple never fails to uphold their side of the trust relationship with iCloud customers. So far, so good. I believe Apple has the technical chops, knowledge, and commitment to hold up their end of the bargain. But some of the other examples I gave, like the VA, mortgage lenders, and credit service bureaus have failed miserably to live up to their trust relationship with me personally, usually due to their incompetence, ineptitude, and utter cluelessness. Some of these organizations had, and still have, absolutely no understanding of how screwed they really are. I suspect other folks have had similar experiences with some of the examples given, and many others.
"At least some that access belonged to Shah and Krebs."
I'm not at all sure what you mean when needing an iOS way of safely storing pictures of cards… Do you mean Pictures of Credit/Debit cards? If so, you can already use a few iOS>MacOS iCloud apps with account authentication beyond 2FA.
Wrong. iCloud has never been hacked. People have had all sorts of information stolen from malware on their devices or even misbehaving Apps not respecting privacy.
The only way data on a physical device could be more secure is if that device is never connected to anything. Which is simply not possible these days.
Really? There's a "the lot of you who don’t even discipline your children"? I'm really curious how you were able to extrapolate that information from any posts made here.