(Credit: Preechar Bowonkitwanchai/Shutterstock)

In the distant era before mobile phones were everywhere, spying on the Internet use of your fellow household members was relatively straightforward, because their access to the Internet stayed in one place. But with cell phones, you can take the Internet with you everywhere, and store it in your pocket, so what's a nosy privacy violator to do?

It turns out that there's a whole cottage industry of mobile spyware apps designed to close the gap -- and their reputations for data security are sketchy at best. In fact, it almost looks like these apps are an exercise in hoovering up as much private information as possible, for the purpose of surfing through it for entertainment purposes.

SEE: How to beef up your Chrome and Firefox security in 2018

Just a few weeks ago, we reported on SpyHuman, a spyware vendor whose subpar site security exposed hundreds of millions of pieces of data. And today, cybersecurity veteran Brian Krebs reported on his blog that another such company, mSpy, is leaking data too, for the second time in three years. And this time, it's on another level.

One of the most important aspects of user data privacy is compartmentalization. This makes sure that that the employees of the company that's securing your data only have access to the user information that they need to do their jobs. Companies can get in big trouble when anyone from an intern to Bob in accounting can readily access a database containing sensitive customer data.

The lapses in these areas are one reason why end-to-end encryption is shooting up in popularity, and why apps like Signal default to not allowing you to take screenshots.

Now, imagine if you could access a large chunk of mSpy's database without even needing a username or password. No checks to make sure that you're an employee or a customer. You don't have to be an expert hacker, either. You just need to have the right URL.

Krebs reports that he received just such a URL last week, from fellow cybersecurity watchdog Nitish Shah, and he was able to access "millions of records." Such as: usernames, passwords, and encryption keys for mSpy's customers; a six-month record of every mSpy purchase; iCloud logins and authentication tokens; WhatsApp and Facebook messages; and email addresses and street addresses.

FOLLOW Download.com on Twitter for all the latest app news.

Furthermore, Shah reports that he was ignored and rebuffed when he contacted mSpy about this latest flood of publicly viewable spyware data.

Thankfully, the database was taken down after repeated inquiries, but the damage was done. And given mSpy's sketchy past, this probably isn't the last time we'll be hearing about them in the news.

Krebs goes on to detail several years of naughty behavior at mSpy headquarters -- wherever it may be. Its office location is actually a bit of a mystery as well. Documents variously point to Jacksonville, Florida, Mountain View, California, and even the Seychelles. Krebs also reminds us that these sorts of apps are literally illegal in the United States, which is why you won't find mSpy on the Google Play Store or iOS Apps Store.

And judging by this latest news, you shouldn't go looking for it, either.

The takeaways

  • The Spyware vendor mSpy recently employed very poor security to protect its customer data, exposing millions of user accounts to anyone who had access to a specific URL.
  • mSpy was not making any attempt to verify that the user of the URL was authorized to access the database; no password or user name was necessary to obtain these records, which include text messages, home addresses, and payment information.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.