A company offering software that allows people to spy on others has admitted it has been hacked and had thousands of customer records leaked online. The admission comes a day after mSpy told BBC News it had not been hacked and no data had been stolen.
It has also emerged that the UK’s Information Commissioner is investigating the company. It told the BBC it was “aware of the breach and is trying to find out where the company is based”.
MSpy offers software it says is aimed at parents worried about what their children are up to online and employers who want to legitimately track their employees.
But it is also used for more nefarious purposes, such as spouses spying on their partners.
Security expert Brian Krebs broke the news that a vast vault of highly personal data from mSpy customers had been dumped on the so-called dark web – an area of the internet that cannot be reached by traditional search engines.
He had been contacted by an anonymous source who had sent him a link to the data on a Tor-based site – technology that allows people to mask the identity of their websites.
BBC News has now also been sent links to the data, which it is currently analysing.
After insisting that the data was fake and no breach had taken place, mSpy has now admitted that data had been stolen.
“Much to our regret, we must inform you that data leakage has actually taken place,” spokeswoman Amelie Ross told BBC News.
“However, the scope and format of the aforesaid information is way too exaggerated.”
She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.
“Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.
Mr Krebs said that he had also contacted “multiple customers of mSpy” via the link he had been sent.
“I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy,” he wrote in his blog.
Katherine Till, one of the customers contacted by Mr Krebs, confirmed to him that she and her husband had paid mSpy to monitor the mobile device of their 14-year-old daughter.
She told the security expert that she was unaware of any breach.
“This is disturbing, because who knows what someone could do with all that data from her phone,” she told Mr Krebs.
Another user whose financial and personal data was in the cache asked not to be identified but told the security expert that he had paid mSpy to secretly monitor the mobile device of a “friend.”
The Information Commissioner’s Office advised customers worried that their data might have been exposed to contact mSpy in the first instance.
“If they get no joy with the company, they can get in touch with us,” a spokesman said.
Its initial investigation is aimed at finding out whether the company, which has a London office, is based in the UK.
The BBC has been told the company is based in California.
The company is also under fire in the US, with Minnesota senator Al Franken describing the software as “nothing short of terrifying” and likening it to “stalking apps”.
He wants the government to investigate the company and has written to the Department of Justice and the Federal Trade Commission.
He writes: “I believe every American has a fundamental right to privacy, which includes the right to control whether and with whom personal, sensitive information – including location data – is being shared.”