Mobile spyware company mSpy has once again leaked millions of customer records to the public internet.
The company develops mobile spyware that customers use to monitor the mobile device activity of their children, partners and others. Security researcher Nitish Shah discovered the mSpy leak via a public-facing database and reached out to cybersecurity journalist Brian Krebs, who first reported the leak.
Krebs looked into the mSpy leak and said no authentication was required to access the database. The customer data included passwords, call logs, text messages, contacts, notes and location data -- all of which was compiled by the mSpy spyware -- and there were millions of records. Additionally, there were records containing the username, password and private encryption key of every mSpy customer who was active in the last six months. The database also included the Apple iCloud usernames and authentication tokens of the Apple devices running mSpy.
According to Krebs, anyone who accessed the database would be able to see WhatsApp and Facebook messages that were also compiled by mSpy.
Krebs also noted that the transaction details of all mSpy licenses purchased within the last six months were exposed, and that included customer names, email addresses and mailing addresses. Additionally, there was browser and internet address information from users visiting the mSpy website.
The exposed database was taken offline this week. But Shah told Krebs the company's support people ignored him when he tried to alert them of the mSpy leak and asked to be directed to their head of technology or security. After Shah contacted Krebs, Krebs reached out to mSpy as well, with only slightly better results. The chief security officer of mSpy said the company was aware of the issue and was working on it.
In response to Krebs' article, mSpy issued a statement in which it acknowledged there was an incident, but denied that millions of records had been exposed.
This isn't the first mSpy leak in recent years. In 2015, Krebs also reported a data leak after mSpy was hacked and customer data was posted on the dark web. In that breach, the information of over 400,000 was estimated to be exposed, and mSpy "initially denied suffering a breach for more than week," according to Krebs, despite customers confirming their data was part of the exposed cache.
In other news:
- The FIDO Alliance has launched a certification program for biometrics. "Biometric user verification has become a popular way to replace passwords and PINs, but the lack of an industry-defined program to validate performance claims has led to concerns over variances in the accuracy and reliability of these solutions," the FIDO Alliance said. The certification, called the Biometric Component Certification Program, is designed for both users and providers. For enterprises, FIDO said, "it provides a standardized way to trust that the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition can reliably identify users and detect presentation attacks."
- More than 7,500 MikroTik routers were infected with malware, according to researchers from Qihoo 360 Netlab. The malware logs and transmits network traffic information to servers under the hackers' control. The researchers found the routers were infected by the malware through an exploit of a vulnerability disclosed in the Vault7 leaks of alleged CIA hacking tools. The vulnerability, tracked as CVE-2018-14847, was patched in April. The researchers noticed the malicious activity on their honeypot systems in July specifically aimed at MikroTik routers. The largest number of routers affected by CVE-2018-14847 exploits were in Russia, as well as Iran, Brazil, India and Ukraine.
- Hackers have compromised the MEGA Chrome extension -- which is used for secure cloud storage -- to steal login credentials and cryptocurrency keys, according to researchers. First discovered by an anonymous researcher called SerHack, the malicious version of the browser extension monitors for usernames and passwords in login forms on Amazon, Microsoft, GitHub and Google, and then it sends the credentials to a host in Ukraine. It also scanned for URLs relating to cryptocurrency sites, and then it would try to steal that login data, as well. The malicious version of the MEGA Chrome extension was put in place at some point after Sept. 2, and Google has already taken it down. There's no evidence the Firefox version of MEGA has been compromised. Chrome users of the MEGA extension should remove it immediately and change all account passwords.