Spyware firm SpyFone leaves customer data, recordings exposed online

Thousands of spyware users and those being monitored have had their information leaked to the public domain.
Written by Charlie Osborne, Contributing Writer

Spyware is morally dubious software, and yet, business is booming.

This particular form of malware comes in various forms including keyloggers, modular software capable of taking screenshots, malicious code able to view and steal content such as photos and videos, as well as recorders of text messages, phone calls, and browser histories.

It is not just government entities or law enforcement which uses such covert software to spy on targets -- the general public has a use for it, too.

No matter the user, you would think that the companies responsible for developing spyware would do their utmost to protect the information collected on behalf of their customers.

However, it appears that an oversight by spyware developer SpyFone has led to the online leak of terabytes of data belonging not just to customers but also their targets.

California-based SpyFone, marketed as the world's "number one parental monitoring software," also boldly links to articles which describe the offerings as a way for employers to "protect [their] company from inappropriate usage" and to give spouses "peace of mind."

The company says it takes as little as 15 minutes to install the spyware on a target device and there is no indication given to those being watched that anything is amiss with their handsets, which are monitored remotely.

Spyfone's software is able to monitor smartphone activity including SMS messages being sent, record calls, and slurp information from apps including Skype and Whatsapp. One variant of the firm's solution also offers live viewing to customers.

CNET: Exactis said to have exposed 340 million records, more than Equifax breach

However, this month, the spyware firm's customers have now had their own information leaked alongside their victims after a researcher uncovered an Amazon S3 bucket belonging to the company which had been left unprotected.

Misconfigurations allowed the leak of photos, audio, recordings, text messages, and browsing history. In addition, GPS data, IMEI numbers, names, hashed passwords, and device information was included in the breach.

Speaking to Motherboard, the researcher, who chose to remain anonymous, said he was able to create administrator accounts and view customer data due to a lack of backend security. SpyFone allegedly also left an API unprotected, which could allow anyone able to guess the URL to view an up-to-date list of customers.

The information has been added to Troy Hunt's data compromise search engine Have I Been Pwned, includes terabytes of data which appears to belong to thousands of SpyFone customers.

It is not possible to use the platform to pull this information, but rather, you can check to see whether information belonging to you has been leaked based on an email address.

See also: Mexicans served with Dark Tequila in spyware spree

The data "included 44,000 unique email addresses, many likely belonging to people the targeted phones had contact with," Hunt says.

A SpyFone spokesperson confirmed the leak to the publication and said the incident impacted over two thousand customers. The spokesperson also expressed relief that a researcher had found the weak security point and said SpyFone was investigating the incident.

TechRepublic: 8 steps to take within 48 hours of a data breach

Nanowires, silver, and AI: The future of our smartphones (in pictures)

Previous and related coverage

Editorial standards