mSpy is used to collect tracking, payment and conversation info from relatives.
Payment details, Apple credentials and even private conversations belonging to 400,000 people may have been exposed in a cyberattack on a software service that lets people spy on their families.
Hackers claiming to have gained access to mSpy, which collects data from people’s mobile devices, are thought to have dumped the information onto the Deep Web, which is not indexed by search engines and has to be accessed through anonymous services such as Tor.
Brian Krebs, a security reporter who found the data haul, said that there was "a crazy amount of personal and sensitive data" within the collection, including details of private conversations and corporate email threads.
He noted that the dump consisted of "several hundred gigabytes worth of data" that was allegedly taken from mSpy’s products, including some four million event logs.
Whilst mSpy has been contacted to comment on the veracity of the data and how it plans to respond to the allegations, it has yet to reply.
Documents from Companies House in London show that both of mSpy’s directors Pavel Daletski and Aleksey Fedorchuk are British citizens involved in the software industry, though the company also has sales offices in the US and Germany.
CBR has passed information onto the Information Commissioner’s Office, but the data regulator has yet to comment on the matter.
Trey Ford, global security strategist at Rapid7, said: "I think the most interesting aspect of this breach is that people being spied on were having their information stolen by one party, and it’s now moving rapidly through the underground.
"Not only is the legality of installing this software questionable, but those who have the software on their devices have had their lives laid out in an un-contained information disclosure – it’s highly unlikely the victims of this crime will understand the extent of the damage for a very long time, if ever."