Skip to Content
Security & privacy

Popular spying app leaks millions of sensitive records

Most of the spy apps available now are marketed as surefire ways for parents to keep tabs on their kids, but there is no limit on what they can do.

These stealthy apps can also be used by spouses, family members, or even suspicious employers to spy on specific targets. (If someone seems to magically know a little too much about your day to day activities, your phone may have been “bugged.”)

But what if the spy is the one that’s being secretly spied on? According to a new report, that’s exactly what happened to this popular spying software service!

Read on and see why millions of people are now at risk with this latest data breach.

Major database leak

Computer security blog KrebsOnSecurity reports that mSpy, the company that makes popular spying apps and software, has leaked millions of sensitive personal records online.

What is mSpy? mSpy’s technology allows its paid subscribers to monitor the activity and data of smartphones where its software is secretly installed.

Launched in 2013, the app is marketed toward parents who want to keep an eye on their kids but it can also be installed by an untrusting spouse or employer who got a hold of your smartphone. Note: To install the software, the “spy” needs physical access to the device.

The software records phone conversations, logs GPS location, reads texts, views browsing activity and it can even monitor a phone’s statistics such as battery life.

mSpy customers can also view saved videos and photos, see the phone’s list of installed apps, view the calendar, notes and even see messages uploaded to sites like Facebook and WhatsApp.

As we warned you about earlier, although spyware apps like mSpy are useful ways for parents to keep tabs on their children — if the data falls into the wrong hands, it can be disastrous.

Concerned about your child’s safety on social media? Watch this free Komando video as Kim gives advice on how to protect your children’s privacy online.

What happened?

According to KrebsOnSecurity, they were informed by a security researcher named Nitish Shah about an open online database that contained customer transactions and mobile phone data collected by mSpy’s software.

The problem? The database was unsecured and it apparently required no authentication to access.

Although the exposed database is now offline, it allowed anyone to look up real-time mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software.

This means anyone who had knowledge of the breach could have accessed the millions of personal records at any time while the database was still online. And wow, the wealth of personal data exposed is staggering!

What was exposed?

The sensitive records included passwords, call logs, text messages, contacts, notes and location data collected secretly from smartphones running the spyware.

The leak also included the Apple iCloud username, references to iCloud backup files and authentication tokens of smartphones running mSpy, plus messages uploaded to Facebook and WhatsApp from the bugged phones.

Had enough? Sadly, it doesn’t stop there. Other records exposed the transaction details of all mSpy licenses purchased over the last six months, including customer name, email address, mailing address and the amounts paid.

Wait, there’s more. The database also included mSpy user logs which revealed the browser and internet address information of people visiting the mSpy Web site.

mSpy’s response

Shah told KrebsOnSecurity that when he tried to alert mSpy, which reportedly has offices in the U.S., Germany and the U.K., the company’s live support team ignored and even blocked him.

“I was chatting with their live support, until they blocked me when I asked them to get me in contact with their CTO or head of security,” Shah recalled.

KrebsOnSecurity finally alerted mSpy about the unsecured database on Aug. 30 and the security blog’s head, Brian Krebs, eventually received an email reply from mSpy’s chief security officer named “Andrew.”

“We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure,” Andrew wrote in the email.

“All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.”

Although this statement sounds reassuring, no one really knows how many individuals had knowledge about the exposed database.

KrebsOnSecurity noted that this is not the first time that mSpy has exposed data.

In May 2015, mSpy was hacked and its customer data was posted on the Dark Web. Although mSpy initially denied the breach, it later acknowledged the incident.

How to protect yourself against spying apps

This breach sounds bad, but maybe you shouldn’t be using these shady spyware applications in the first place. Keep in mind that mSpy is not the only spying game in town.

Tap or click here for other smartphone apps that could be listening and watching you right now.

To prevent your phone from being infected with spying apps, here are a few suggestions you can do:


It’s simple to install a spying app on Android once you get past the lock screen, so make sure you have the lock screen turned on and no one knows the PIN, password or pattern.

You can make it a bit harder by blocking third-party apps from installing. Go to Settings>>Security and uncheck the Unknown Sources option. It won’t stop a really knowledgeable snoop, but it could stump less-savvy ones.


In the past, installing non-iTunes third-party apps on an Apple gadget meant jailbreaking it. Jailbreaking is a fancy term for getting full access to iOS so you can get around Apple’s safeguards.

The process is different for every version of iOS and takes some time and knowledge to pull off, so Apple gear was always relatively safe. However, some spy apps, notably mSpy, don’t need a jailbroken gadget anymore, as long as the snoop has your AppleID to log into iCloud.

If you have iCloud backup turned on, the person doesn’t even need your phone. Granted, a non-jailbroken gadget won’t give up as much information as a jailbroken one, but it’s still a lot.

So it’s a good idea to keep your Apple ID a closely guarded secret. On the plus side, if someone does use this method, you just have to change your Apple ID password to lock them out.

Still, there’s the chance that your snooper might try the old-fashioned method of jailbreaking. Again, if you keep your phone in sight and have your lock screen enabled with a solid PIN, it makes this nearly impossible.

Instead of a four-digit PIN, choose a six-digit numeric code, a custom numeric code, or a custom alphanumeric code.

Even a 5- or 6-digit PIN is exponentially safer than a 4-digit code — as long as it’s not 123456. For ultimate safety, try a password that’s a combination of letters, numbers and symbols. Aim for at least eight characters.

Important: If you think a spy app is installed on your phone, do a factory reset of your phone — after you back up your information, of course. It’s inconvenient, but it will give you peace of mind.

Note:  We recommend our sponsor IDrive. IDrive lets you backup all of your devices, whether you have a Mac, PC, Android, iPad or iPhone. And, you can conveniently manage your backups through a single online account. Go to and use promo code Kim to receive an exclusive offer.

Refer friends, earn rewards

Share your source of digital lifestyle news, tips and advice with friends and family, and you'll be on your way to earning awesome rewards!

Get started