Company That Lets Parents Spy On Their Kids' Computer Usage… Has Database Hacked And Leaked
from the after-denying-it-all dept
There are lots of apps out there for parents spying on their kids computer/smartphone activities — with the marketing pitch often being about how this will help “keep them safe” or some other such thing. mSpy is one of those companies, advertising right on the front page about how its snooping software can “keep children safe and employees efficient.” It leaves out the bit about making both distrustful, but that’s another debate for another day. Brian Krebs recently revealed that a “huge trove of data” had been leaked from mSpy and was being shared around the darkweb. And it exposed not just customer names but “countless emails, text messages, payment and location data” of those children and employees that the company was supposedly making “safe” and “efficient.”
mSpy’s response? Well, first it was to deny the breach entirely, saying that it was a bogus “predatory” attack:
?There is no data of 400,000 of our customers on the web,? a spokeswoman for the company told the BBC. ?We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.?
And, of course, a day or two later, mSpy actually admitted the truth… which was that of course it had been hacked and had the data leaked.
“Much to our regret, we must inform you that data leakage has actually taken place,” spokeswoman Amelie Ross told BBC News.
“However, the scope and format of the aforesaid information is way too exaggerated.”
She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.
“Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.
We’ll see. If history is any guide, the hack may be even worse. In almost every story of a big hack into corporate computer systems, the initial estimate on the number of accounts impacted is too low, and adjusted upward at a later date.
Either way, it appears that in the process of trying to make children “safe” — the company may have ended up doing the exact opposite.
Filed Under: brian krebs, children, employees, hacked, leaked, parents, revealed, safety, spyware
Companies: mspy
Comments on “Company That Lets Parents Spy On Their Kids' Computer Usage… Has Database Hacked And Leaked”
Reminds me...
of Spy vs Spy.
Ok, seriously, what the hell?
and continue to work on mechanism of data encryption,” she added.
So you have this entire database full of personally identifiable data including payment details JUST LYING AROUND IN PLAINTEXT?!?! Someone in IT is about to/better be fired.
Re: Ok, seriously, what the hell?
They were waiting to implement government approved golden key encryption. That way their data would really be safe.
Re: Re: Ok, seriously, what the hell?
Or they used the golden key encryption, and someone bad got a hold of the key.
The end result would be identical.
Re: Ok, seriously, what the hell?
IT?!?
At EVERY company I have worked at there has been at least one database that stores plaintext passwords.
At EVERY company I have worked at, I have proposed encrypting users’ personal details, especially the passwords but also credit card information, addresses, e-mails, SSNs, etc.
At EVERY company I have worked at, these requests sat on a queue and were never prioritized to the top.
At one company, I finally convinced the powers that be that IT should get 10% of the sprint time to work on whatever tasks they wanted. This is the only company where we correctly encrypted all the users’ data.
Nobody in IT should be fired. Whoever prioritizes requests should be fired. I guarantee you that at most companies, at least 1 IT person has been nagging them about it and they just ignore the problem.
Re: Re: Ok, seriously, what the hell?
Technically, the CIO is in IT, yes? I fully suggest they be first on the chopping block.
Estimated commercial achievements?
What exactly are estimated commercial achievements?
Wishful thinking? Dreams of riches? Cooked books?
Please explain.
Re: Estimated commercial achievements?
I think I can explain what they mean: $$$
Re: Estimated commercial achievements?
They’re Russians. I suspect they meant “estimal” (aka esteemed) achievements.
Brian Krebs is well worth watching. He really gets it.
Making children safe
In the linked BBC article, I got a laugh from the picture of the boy with the phone, his look of shock and eyes about to pop out of his head.
Boys are naturally curious about sex. But parents who would use a stalking app such as mSpy should patiently sit down with their son and explain to him how women’s private parts are lined with razor sharp teeth capable of biting off a child’s hand.
Who could possibly have seen this coming?
Really, what did they expect was going to happen?
They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place. Not even encrypted.
Did they really think nobody was going to be interested in making fools of them?
To be fair, a lot of blame also has to be laid at the feet of the parents. If you need to spy on your kids computer, something is deeply wrong with your relationship with your kids.
Re: Who could possibly have seen this coming?
Hm.
Re-reading my comment, I see that I could have, with equal justice, replaced “parents” with “government” and “kids” with “citizens”.
Re: Re: Who could possibly have seen this coming?
You could also have gone with employers and their employees. It wasn’t just nosy parents who bought into this.
Re: Re: Re: Who could possibly have seen this coming?
Yes.
Re: Who could possibly have seen this coming?
“They spy on hundreds of thousands of people (admittedly people without the legal right to object), and store all the data in one place.”
This.
Also, although it’s not related to this specific case, people forget about the stupid third party doctrine when they use this stuff. The third party doctrine means that any information a company is holding about you is not private. Storing sensitive information in third party services is asking for trouble.
Re: Interest in making fools of them...
…is, I suspect less than the interest someone might have of the personal data of thousands of sweet, tasty children.
Re: Who could possibly have seen this coming?
I did. 😉 Right here, a few years ago:
How New Internet Spying Laws Will Actually ENABLE Stalkers, Spammers, Phishers And, Yes, Pedophiles & Terrorists
Granted, I was writing about governments, not corporations, but the exact same principles hold.
The problem with accumulating surveillance (or other) data on anyone/anything is that while you might think you’re building a useful resource for protection, you are also, invariably, building a very attractive target. I’ve started calling this the “meta-spy” problem, because it’s actually a very efficient and cheap approach for those looking to acquire data: (1) sit on your hands (2) wait for someone else to spend all the money and expend all the effort to perform data acquisition, storage, processing, etc. (3) when the time is right, copy it from them (4) use it (5) watch as they take the blame for what you’re doing.
In this particular case, the possible consequences are horrific — because so much of the data is apparently about children. Thus even if we presume that parents had the finest of intentions, and even if we agree with the method they chose, the end result is that they’ve put their children in much more danger than if they’d done nothing.
Exercise for the reader: how much tax-free income, conveniently stashed in a plain manila envelope, would one need to hand over to a well-placed system/network admin in order to receive a 4T external drive full of compressed data? After all, hacks/intrusions aren’t the only way to pull this off: sometimes the Old Ways are best.
Uncommonly honest
Well that pretty much says everything about their stance right there. They’re more upset they HAD to tell people about the data breach than they are about the data breach….
Re: Uncommonly honest
At least mSpy described them a situation:
But then they said information had been WAY TOO exaggerated.
I’m sure the people at mSpy would have preferred a normal amount of exaggeration.
Their marketing communications is as competent as their IT department’s lack of encryption in the database.
“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”
Phrasing sounds familiar from somewhere
“I triple guarantee you, there are no American soldiers in Baghdad.” – Muhammed Saeed al-Sahaf
Re: If he triple-dog guaranteed...
…then we’d know he was being serious and earnest.
Re: Re: If he triple-dog guaranteed...
I’m super serial about this
Re: Re: If he triple-dog guaranteed...
noob mistake right there. he should have jumped straight to the triple dog dare.
Re: Re:
I thought it means, “there is no way we would have 400,000 customers who must be stupid to be our customers”
And the endresult will be: *Drumroll*
Nothing!
Parents and others will just go around and blame the hackers. They surely deserve some of the scorn, but they are not the main problem.
Some of them will think, that they will never use ‘That’ company again and will just find another way to do the exact same. There won’t be a big debate about how maybe they could just communicate with and trust in their children so as to not put up a stalkers treasure trove of information up on the internet about them.
Yes, I am cynical, but these people have already proven that they think that they need to protect without regard for the protected, by throwing money at the “problem”, so as I see it, they deserve no great faith from me.
Just be sure to leave a golden key for the government to access through the front/back/side door, you know… for the children! With the government watching, you can finally rest easy at night knowing your children are safe and secure.
/sarcasm
I monitor my kids using iKeyMonitorand I don’t care who calls me nosy or invasive. There are lots of Internet horror stories on the TV and online. They are usually the products of kids not realizing the danger of the virtual world. They made arrangements to meet in real life, posted inappropriate pictures on the internet, etc. They don’t even trust their parents even if they get any troubles, instead, they will ask their online buddies for help, who may make use of your innocent children.
I can understand why parents would want to install spy software on their children’s computer/devices, but why would they choose one that sends that information back to the parent company?
Re: Re:
Because if you’re going to ignore the whole ‘parenting’ thing by handing the responsibility of teaching your kids responsible internet browsing to some third party, why go half-way? /s