iPhone spyware maker mSpy exposes millions of private records

According to KrebsonSecurity’s report iPhone spyware maker mSpy has accidentally exposed millions of private records on the web. Data exposed includes passwords, text messages, contacts, call logs. notes and location data.

mSpy, a company which makes spyware used by suspicious parents and partners to spy on iPhone usage. mSpy gives you the ability to browse messages shared on your child’s phone through platforms including Viber, WhatsApp, Skype, Facebook, SnapChat and more.

KrebsonSecurity’s report:

Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.

Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said.


mSpy was previously hacked, back in 2015, with customer data posted to the dark web. The company goes to some lengths to hide its own activities, including the country in which it is based. In the US, selling spyware is a criminal offence.

The spyware requires iCloud credentials in order to be set up, but no login was required to access the exposed data.