There are lots of apps out there for parents spying on their kids computer/smartphone activities — with the marketing pitch often being about how this will help “keep them safe” or some other such thing. mSpy is one of those companies, advertising right on the front page about how its snooping software can “keep children safe and employees efficient.” It leaves out the bit about making both distrustful, but that’s another debate for another day. Brian Krebs recently revealed that a “huge trove of data” had been leaked from mSpy and was being shared around the darkweb. And it exposed not just customer names but “countless emails, text messages, payment and location data” of those children and employees that the company was supposedly making “safe” and “efficient.”
mSpy’s response? Well, first it was to deny the breach entirely, saying that it was a bogus “predatory” attack:
“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”
And, of course, a day or two later, mSpy actually admitted the truth… which was that of course it had been hacked and had the data leaked.
“Much to our regret, we must inform you that data leakage has actually taken place,” spokeswoman Amelie Ross told BBC News.
“However, the scope and format of the aforesaid information is way too exaggerated.”
She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.
“Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.
We’ll see. If history is any guide, the hack may be even worse. In almost every story of a big hack into corporate computer systems, the initial estimate on the number of accounts impacted is too low, and adjusted upward at a later date.
Either way, it appears that in the process of trying to make children “safe” — the company may have ended up doing the exact opposite.