Company That Lets Parents Spy On Their Kids' Computer Usage… Has Database Hacked And Leaked

from the after-denying-it-all dept

There are lots of apps out there for parents spying on their kids computer/smartphone activities — with the marketing pitch often being about how this will help “keep them safe” or some other such thing. mSpy is one of those companies, advertising right on the front page about how its snooping software can “keep children safe and employees efficient.” It leaves out the bit about making both distrustful, but that’s another debate for another day. Brian Krebs recently revealed that a “huge trove of data” had been leaked from mSpy and was being shared around the darkweb. And it exposed not just customer names but “countless emails, text messages, payment and location data” of those children and employees that the company was supposedly making “safe” and “efficient.”

mSpy’s response? Well, first it was to deny the breach entirely, saying that it was a bogus “predatory” attack:

?There is no data of 400,000 of our customers on the web,? a spokeswoman for the company told the BBC. ?We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.?

And, of course, a day or two later, mSpy actually admitted the truth… which was that of course it had been hacked and had the data leaked.

“Much to our regret, we must inform you that data leakage has actually taken place,” spokeswoman Amelie Ross told BBC News.

“However, the scope and format of the aforesaid information is way too exaggerated.”

She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.

“Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.

We’ll see. If history is any guide, the hack may be even worse. In almost every story of a big hack into corporate computer systems, the initial estimate on the number of accounts impacted is too low, and adjusted upward at a later date.

Either way, it appears that in the process of trying to make children “safe” — the company may have ended up doing the exact opposite.

Filed Under: , , , , , , , ,
Companies: mspy

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Company That Lets Parents Spy On Their Kids' Computer Usage… Has Database Hacked And Leaked”

Subscribe: RSS Leave a comment
29 Comments
PRMan (profile) says:

Re: Ok, seriously, what the hell?

IT?!?

At EVERY company I have worked at there has been at least one database that stores plaintext passwords.

At EVERY company I have worked at, I have proposed encrypting users’ personal details, especially the passwords but also credit card information, addresses, e-mails, SSNs, etc.

At EVERY company I have worked at, these requests sat on a queue and were never prioritized to the top.

At one company, I finally convinced the powers that be that IT should get 10% of the sprint time to work on whatever tasks they wanted. This is the only company where we correctly encrypted all the users’ data.

Nobody in IT should be fired. Whoever prioritizes requests should be fired. I guarantee you that at most companies, at least 1 IT person has been nagging them about it and they just ignore the problem.

DannyB (profile) says:

Making children safe

In the linked BBC article, I got a laugh from the picture of the boy with the phone, his look of shock and eyes about to pop out of his head.

Boys are naturally curious about sex. But parents who would use a stalking app such as mSpy should patiently sit down with their son and explain to him how women’s private parts are lined with razor sharp teeth capable of biting off a child’s hand.

OldMugwump (profile) says:

Who could possibly have seen this coming?

Really, what did they expect was going to happen?

They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place. Not even encrypted.

Did they really think nobody was going to be interested in making fools of them?

To be fair, a lot of blame also has to be laid at the feet of the parents. If you need to spy on your kids computer, something is deeply wrong with your relationship with your kids.

John Fenderson (profile) says:

Re: Who could possibly have seen this coming?

“They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place.”

This.

Also, although it’s not related to this specific case, people forget about the stupid third party doctrine when they use this stuff. The third party doctrine means that any information a company is holding about you is not private. Storing sensitive information in third party services is asking for trouble.

Rich Kulawiec (profile) says:

Re: Who could possibly have seen this coming?

I did. 😉 Right here, a few years ago:

How New Internet Spying Laws Will Actually ENABLE Stalkers, Spammers, Phishers And, Yes, Pedophiles & Terrorists

Granted, I was writing about governments, not corporations, but the exact same principles hold.

The problem with accumulating surveillance (or other) data on anyone/anything is that while you might think you’re building a useful resource for protection, you are also, invariably, building a very attractive target. I’ve started calling this the “meta-spy” problem, because it’s actually a very efficient and cheap approach for those looking to acquire data: (1) sit on your hands (2) wait for someone else to spend all the money and expend all the effort to perform data acquisition, storage, processing, etc. (3) when the time is right, copy it from them (4) use it (5) watch as they take the blame for what you’re doing.

In this particular case, the possible consequences are horrific — because so much of the data is apparently about children. Thus even if we presume that parents had the finest of intentions, and even if we agree with the method they chose, the end result is that they’ve put their children in much more danger than if they’d done nothing.

Exercise for the reader: how much tax-free income, conveniently stashed in a plain manila envelope, would one need to hand over to a well-placed system/network admin in order to receive a 4T external drive full of compressed data? After all, hacks/intrusions aren’t the only way to pull this off: sometimes the Old Ways are best.

DannyB (profile) says:

Re: Uncommonly honest

At least mSpy described them a situation:

“Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.

But then they said information had been WAY TOO exaggerated.

“However, the scope and format of the aforesaid information is way too exaggerated.”

I’m sure the people at mSpy would have preferred a normal amount of exaggeration.

Their marketing communications is as competent as their IT department’s lack of encryption in the database.

ananke (profile) says:

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

Phrasing sounds familiar from somewhere

“I triple guarantee you, there are no American soldiers in Baghdad.” – Muhammed Saeed al-Sahaf

Anonymous Coward says:

And the endresult will be: *Drumroll*

Nothing!
Parents and others will just go around and blame the hackers. They surely deserve some of the scorn, but they are not the main problem.
Some of them will think, that they will never use ‘That’ company again and will just find another way to do the exact same. There won’t be a big debate about how maybe they could just communicate with and trust in their children so as to not put up a stalkers treasure trove of information up on the internet about them.
Yes, I am cynical, but these people have already proven that they think that they need to protect without regard for the protected, by throwing money at the “problem”, so as I see it, they deserve no great faith from me.

Zonker says:

“Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.

Just be sure to leave a golden key for the government to access through the front/back/side door, you know… for the children! With the government watching, you can finally rest easy at night knowing your children are safe and secure.

/sarcasm

EmmaL Evans says:

I monitor my kids using iKeyMonitorand I don’t care who calls me nosy or invasive. There are lots of Internet horror stories on the TV and online. They are usually the products of kids not realizing the danger of the virtual world. They made arrangements to meet in real life, posted inappropriate pictures on the internet, etc. They don’t even trust their parents even if they get any troubles, instead, they will ask their online buddies for help, who may make use of your innocent children.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...