Company That Lets Parents Spy On Their Kids' Computer Usage... Has Database Hacked And Leaked

from the after-denying-it-all dept

There are lots of apps out there for parents spying on their kids computer/smartphone activities -- with the marketing pitch often being about how this will help "keep them safe" or some other such thing. mSpy is one of those companies, advertising right on the front page about how its snooping software can "keep children safe and employees efficient." It leaves out the bit about making both distrustful, but that's another debate for another day. Brian Krebs recently revealed that a "huge trove of data" had been leaked from mSpy and was being shared around the darkweb. And it exposed not just customer names but "countless emails, text messages, payment and location data" of those children and employees that the company was supposedly making "safe" and "efficient."

mSpy's response? Well, first it was to deny the breach entirely, saying that it was a bogus "predatory" attack:
“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”
And, of course, a day or two later, mSpy actually admitted the truth... which was that of course it had been hacked and had the data leaked.
"Much to our regret, we must inform you that data leakage has actually taken place," spokeswoman Amelie Ross told BBC News.

"However, the scope and format of the aforesaid information is way too exaggerated."

She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.

"Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption," she added.
We'll see. If history is any guide, the hack may be even worse. In almost every story of a big hack into corporate computer systems, the initial estimate on the number of accounts impacted is too low, and adjusted upward at a later date.

Either way, it appears that in the process of trying to make children "safe" -- the company may have ended up doing the exact opposite.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Pixelation, 28 May 2015 @ 8:23am

    Reminds me...

    of Spy vs Spy.

    reply to this | link to this | view in chronology ]

  • identicon
    Just Another Anonymous Troll, 28 May 2015 @ 8:28am

    Ok, seriously, what the hell?

    and continue to work on mechanism of data encryption," she added.
    So you have this entire database full of personally identifiable data including payment details JUST LYING AROUND IN PLAINTEXT?!?! Someone in IT is about to/better be fired.

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 28 May 2015 @ 9:11am

      Re: Ok, seriously, what the hell?

      They were waiting to implement government approved golden key encryption. That way their data would really be safe.

      reply to this | link to this | view in chronology ]

      • icon
        sigalrm (profile), 28 May 2015 @ 12:30pm

        Re: Re: Ok, seriously, what the hell?

        Or they used the golden key encryption, and someone bad got a hold of the key.

        The end result would be identical.

        reply to this | link to this | view in chronology ]

    • identicon
      PRMan, 28 May 2015 @ 11:35am

      Re: Ok, seriously, what the hell?

      IT?!?

      At EVERY company I have worked at there has been at least one database that stores plaintext passwords.

      At EVERY company I have worked at, I have proposed encrypting users' personal details, especially the passwords but also credit card information, addresses, e-mails, SSNs, etc.

      At EVERY company I have worked at, these requests sat on a queue and were never prioritized to the top.

      At one company, I finally convinced the powers that be that IT should get 10% of the sprint time to work on whatever tasks they wanted. This is the only company where we correctly encrypted all the users' data.

      Nobody in IT should be fired. Whoever prioritizes requests should be fired. I guarantee you that at most companies, at least 1 IT person has been nagging them about it and they just ignore the problem.

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 28 May 2015 @ 8:46am

    Estimated commercial achievements?

    “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”
    What exactly are estimated commercial achievements?

    Wishful thinking? Dreams of riches? Cooked books?

    Please explain.

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 28 May 2015 @ 9:00am

    Making children safe

    In the linked BBC article, I got a laugh from the picture of the boy with the phone, his look of shock and eyes about to pop out of his head.

    Boys are naturally curious about sex. But parents who would use a stalking app such as mSpy should patiently sit down with their son and explain to him how women's private parts are lined with razor sharp teeth capable of biting off a child's hand.

    reply to this | link to this | view in chronology ]

  • icon
    OldMugwump (profile), 28 May 2015 @ 9:00am

    Who could possibly have seen this coming?

    Really, what did they expect was going to happen?

    They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place. Not even encrypted.

    Did they really think nobody was going to be interested in making fools of them?

    To be fair, a lot of blame also has to be laid at the feet of the parents. If you need to spy on your kids computer, something is deeply wrong with your relationship with your kids.

    reply to this | link to this | view in chronology ]

    • icon
      OldMugwump (profile), 28 May 2015 @ 9:05am

      Re: Who could possibly have seen this coming?

      Hm.

      Re-reading my comment, I see that I could have, with equal justice, replaced "parents" with "government" and "kids" with "citizens".

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 28 May 2015 @ 9:26am

      Re: Who could possibly have seen this coming?

      "They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place."

      This.

      Also, although it's not related to this specific case, people forget about the stupid third party doctrine when they use this stuff. The third party doctrine means that any information a company is holding about you is not private. Storing sensitive information in third party services is asking for trouble.

      reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 28 May 2015 @ 10:29am

      Interest in making fools of them...

      ...is, I suspect less than the interest someone might have of the personal data of thousands of sweet, tasty children.

      reply to this | link to this | view in chronology ]

    • identicon
      Rich Kulawiec, 28 May 2015 @ 11:54am

      Re: Who could possibly have seen this coming?

      I did. ;) Right here, a few years ago:

      How New Internet Spying Laws Will Actually ENABLE Stalkers, Spammers, Phishers And, Yes, Pedophiles & Terrorists

      Granted, I was writing about governments, not corporations, but the exact same principles hold.

      The problem with accumulating surveillance (or other) data on anyone/anything is that while you might think you're building a useful resource for protection, you are also, invariably, building a very attractive target. I've started calling this the "meta-spy" problem, because it's actually a very efficient and cheap approach for those looking to acquire data: (1) sit on your hands (2) wait for someone else to spend all the money and expend all the effort to perform data acquisition, storage, processing, etc. (3) when the time is right, copy it from them (4) use it (5) watch as they take the blame for what you're doing.

      In this particular case, the possible consequences are horrific -- because so much of the data is apparently about children. Thus even if we presume that parents had the finest of intentions, and even if we agree with the method they chose, the end result is that they've put their children in much more danger than if they'd done nothing.

      Exercise for the reader: how much tax-free income, conveniently stashed in a plain manila envelope, would one need to hand over to a well-placed system/network admin in order to receive a 4T external drive full of compressed data? After all, hacks/intrusions aren't the only way to pull this off: sometimes the Old Ways are best.

      reply to this | link to this | view in chronology ]

  • identicon
    Lord Binky, 28 May 2015 @ 9:16am

    Uncommonly honest

    Much to our regret, we must inform you


    Well that pretty much says everything about their stance right there. They're more upset they HAD to tell people about the data breach than they are about the data breach....

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 28 May 2015 @ 10:45am

      Re: Uncommonly honest

      At least mSpy described them a situation:
      "Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption," she added.
      But then they said information had been WAY TOO exaggerated.
      "However, the scope and format of the aforesaid information is way too exaggerated."
      I'm sure the people at mSpy would have preferred a normal amount of exaggeration.

      Their marketing communications is as competent as their IT department's lack of encryption in the database.

      reply to this | link to this | view in chronology ]

  • icon
    ananke (profile), 28 May 2015 @ 9:28am

    “There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

    Phrasing sounds familiar from somewhere

    "I triple guarantee you, there are no American soldiers in Baghdad." - Muhammed Saeed al-Sahaf

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 May 2015 @ 1:02pm

    And the endresult will be: *Drumroll*

    Nothing!
    Parents and others will just go around and blame the hackers. They surely deserve some of the scorn, but they are not the main problem.
    Some of them will think, that they will never use 'That' company again and will just find another way to do the exact same. There won't be a big debate about how maybe they could just communicate with and trust in their children so as to not put up a stalkers treasure trove of information up on the internet about them.
    Yes, I am cynical, but these people have already proven that they think that they need to protect without regard for the protected, by throwing money at the "problem", so as I see it, they deserve no great faith from me.

    reply to this | link to this | view in chronology ]

  • identicon
    Zonker, 28 May 2015 @ 4:56pm

    "Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption," she added.
    Just be sure to leave a golden key for the government to access through the front/back/side door, you know... for the children! With the government watching, you can finally rest easy at night knowing your children are safe and secure.

    /sarcasm

    reply to this | link to this | view in chronology ]

  • identicon
    EmmaL Evans, 28 May 2015 @ 10:57pm

    I monitor my kids using iKeyMonitorand I don't care who calls me nosy or invasive. There are lots of Internet horror stories on the TV and online. They are usually the products of kids not realizing the danger of the virtual world. They made arrangements to meet in real life, posted inappropriate pictures on the internet, etc. They don't even trust their parents even if they get any troubles, instead, they will ask their online buddies for help, who may make use of your innocent children.

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 29 May 2015 @ 2:08am

    I can understand why parents would want to install spy software on their children's computer/devices, but why would they choose one that sends that information back to the parent company?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 29 May 2015 @ 5:12am

      Re:

      Because if you're going to ignore the whole 'parenting' thing by handing the responsibility of teaching your kids responsible internet browsing to some third party, why go half-way? /s

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.