Find My iPhone app
mSpy allows customers to track the locations of smartphone users as well as what apps they use, see what photos they take and even monitor every word they type or speak Apple

An investigative journalist claims that smartphone spying software service mSpy has been hacked and personal details of 400,000 of its customers have been posted on the dark web.

mSpy is a service which allows users to monitor the activities of someone else's smartphone and is advertises as a way of "keeping your children safe and your employees efficient". It lets those using it to monitor someone's location, what apps they use, see what photos they take and record every word they type or speak.

Well-known and respected journalist Brian Krebs, who specialises in cyber-security reporting and - the dark web in particular - claims that mSpy's customer database has been hacked and "a huge trove of data" has been posted on the dark web, only accessible via Tor.

IBTimes UK has seen the post on the dark web but an update published on 15 May says that downloads have been "temporarily disabled" though no reason was given. One record remains with the name, home address, email address and other details of one mSpy customer though the huge cache of data is not available.

There is a crazy amount of personal and sensitive data in this cache
- Brian Krebs

The anonymous hacker claimms the leak is "a full database" from mSpy's website including more than 400,000 users and featuring highly sensitive information like Apple IDs and associated passwords, tracking data, payment details, photos and more security information.

Krebs, who was sent a link to the post by a source, says the Tor-based site hosts hundreds of gigabytes of data "taken from mobile devices running mSpy's products, including some four million events logged by the software".

Krebs adds that from his investigations of the data dump, one thing is clear:

"There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations. Also included in the data dump are thousands of support request emails from people around the world who paid between $8.33 to as much as $799 for a variety of subscriptions to mSpy's surveillance software."]

IBTimes UK has been unable to independently verify that validity of the claims.

In the UK, a 12-month subscription for a single smartphone monitoring service cost £60 while a "family kit" allowing you to monitor up to five devices (smartphone, tablet, laptop, desktop etc) will cost you £531.

No evidence of a leak

Krebs said that numerous requests for comment from the company were not returned. IBTimes UK has also contacted the company for an official comment, but at the time of publication had not received a response.

However, on Friday, 15 May (a day after the report was published) we spoke to customer service representatives in the company's London call centre and online through the company's website chat function. They said they had been briefed about the situation and had been dealing with calls from worried customers who had read the report.

The spying company is telling its customers that there had been no breach of customer data, with the representative on the phone claiming such an attack was "not actually possible" because of the security measures the company has in place.

The company was clearly aware of Krebs' report, pointing out that one of the screenshots used in the report was from a demo version of mSpy which was freely available on its website. The representatives went as far as claiming the story had been fabricated.

"There is really no evidence of the leak" representative are telling mSpy's customers before adding that customers should not worry.

When asked why this report from a respected journalist had appeared if there was no truth to it, both representatives suggested it was the work of one of its competitors out to discredit the company. "We think it is a piece of black marketing," the online representative said. They added that the report was being investigated by people authorised to do so, and its lawyers.

iCloud credentials

mSpy is headquartered in Mountain View, California with a call centre based in London and according to its website has over 1,000,000 customers around the world.

While the company advertises its software as being aimed at protecting children, one of the main uses of this type of software has been to spy on partners believed may be cheating.

mSpy can be installed on a non-jailbroken iPhone without even needing access to the physical phone itself as long as they have the iCloud credentials – though, as mSpy helpfully points out, "monitoring features may be limited with this solution option".

The company adds: "However, there may be some instances where physical access may be necessary. If you purchase mSpy for a jailbroken iOS phone or tablet, you will need 5-15 minutes of physical access to the device for successful installation."

Customers looking to review the data captured by the spying software can log on to their very own personalised Control Panel on the mSpy website from anywhere in the world.

mSpy helps those who don't want husbands or wives finding out that they are using it by listing it as AVANGATE in bank statements

Like any app developer, mSpy is continually looking to upgrade its offering, and a recent update now allows it to monitor Snapchat, Line and Facebook Messenger.