A data breach within phone monitoring operation mSpy has exposed millions of its customers who purchased access to the phone spy app over the past decade, as well as the Ukrainian company behind it.
Unknown attackers stole millions of customer support tickets including personal information, support emails and attachments including personal documents from mSpy in May 2024. Spyware vendor hacks are becoming more commonThey remain notable because of the highly sensitive personal information often included in the data, in this case about customers using the service.
The hack involved customer service records dating back to 2014, which were stolen from the spyware maker’s Zendesk customer support system.
mSpy is a phone monitoring app that advertises itself as a way to track children or monitor employees. Like most spyware, it is also widely used to monitor people without their consent. These types of apps are also known as “stalkerware” because people in relationships often use them to monitor their partners without their consent or permission.
The mSpy app allows the person who implanted the spyware, usually someone who previously had physical access to a victim’s phone, to remotely view the contents of the phone in real time.
As is common with cell phone spy software, mSpy’s customer records include emails from people seeking help secretly tracking the phones of their partners, loved ones, or children, according to TechCrunch’s analysis of the data, which we obtained independently. Some of these emails and messages include requests for customer support from several high-ranking U.S. military personnel, a sitting U.S. federal appeals judge, a U.S. government watchdog, and an Arkansas County Sheriff’s Office asking for a free license to test the app.
Even after accumulating millions of customer service tickets, the data released by Zendesk only represents the proportion of mSpy’s overall customer base that contacted customer support. The number of mSpy customers is likely much higher.
Yet, more than a month after the breach, mSpy’s owners, a Ukraine-based company called Brainstack, have not publicly acknowledged or disclosed the breach.
Troy Hunt, who directs data breach notification site Have I been hackedobtained a copy of the entire leaked data set, adding approximately 2.4 million unique email addresses of mSpy customers to its site’s catalog of past data breaches.
Hunt told TechCrunch that he contacted several Have I Been Pwned subscribers with information from the hacked data, who confirmed to him that the leaked data was accurate.
mSpy is the latest phone spyware operation to be hacked in recent months, according to a list recently compiled by TechCrunchThe mSpy security breach shows once again that spyware makers cannot be trusted to keep their data safe, whether that of their customers or their victims.
Millions of mSpy customer messages
TechCrunch analyzed the leaked dataset — more than 100 gigabytes of Zendesk records — which contained millions of individual customer service tickets and their corresponding email addresses, as well as the content of those emails.
Some of the email addresses belong to unknowing victims who were targeted by an mSpy client. The data also shows that some journalists have contacted the company for comment. following the company’s latest known breach In 2018, U.S. law enforcement agencies filed or sought to file subpoenas and legal demands against mSpy on several occasions. In one instance, following a brief email exchange, an mSpy representative provided the billing and address information of an mSpy customer (an alleged suspect in a kidnapping and homicide case) to an FBI agent.
Each ticket in the dataset contained a set of information about the people contacting mSpy. In many cases, the data also included their approximate location based on the IP address of the sender’s device.
TechCrunch analyzed the location of customers contacted by mSpy by extracting all location coordinates from the dataset and plotting the data in an offline mapping tool. The results show that mSpy customers are located all over the world, with large groups in Europe, India, Japan, South America, the United Kingdom, and the United States.
Purchasing spyware is not illegal in itself, but selling or using spyware to spy on someone without their consent is illegal. U.S. prosecutors have Spyware makers accused in the past, and federal authorities And state oversight bodies have banned spyware companies from the surveillance industry, citing the cybersecurity and privacy risks such software creates. Customers who install spyware may also face prosecution for violating wiretapping laws.
The emails in the data leaked by Zendesk show that mSpy and its operators are well aware of the reasons why customers are using the spyware, including monitoring phones without the person’s knowledge. Some of the requests cite customers asking how to remove mSpy from their partner’s phone after the partner discovers it. The data set also raises questions about the use of mSpy by U.S. government officials and agencies, police departments, and the judiciary, as it is unclear whether the use of the spyware followed any legal process.
According to the data, one of the email addresses is for Kevin Newsom, a sitting appellate judge for the United States Court of Appeals for the Eleventh Circuit in Alabama, Georgia, and Florida, who used his official government email to request a refund from mSpy.
Kate Adams, director of labor relations at the U.S. Court of Appeals for the Eleventh Circuit, told TechCrunch, “Judge Newsom’s use was entirely in his personal capacity to handle a family matter.” Adams declined to answer specific questions about the judge’s use of mSpy or whether the subject of Newsom’s surveillance had consent.
The dataset also shows interest from U.S. authorities and law enforcement. An email from a member of the Social Security Administration’s Office of Inspector General, a watchdog charged with oversight of the federal agency, asked an mSpy representative if the watchdog could “use (mSpy) in some of our criminal investigations,” without specifying how.
When contacted by TechCrunch, a spokesperson for the Social Security Administration’s inspector general did not comment on why the employee inquired about mSpy on behalf of the agency.
The Arkansas County Sheriff’s Department requested free trials of mSpy, ostensibly to provide demonstrations of the software to neighborhood parents. The sergeant did not respond to TechCrunch’s question about his permission to contact mSpy.
The Company Behind mSpy
It is Third Known mSpy Data Breach Since the company started around 2010, mSpy has been one of the longest-running phone spy operations, which is part of the reason it has amassed so many customers.
Despite its size and reach, mSpy’s operators have remained hidden from the public eye and have largely escaped scrutiny – until now. It’s not uncommon for spyware creators to conceal the real identities of their employees to protect the company from the legal and reputational risks associated with running a global phone surveillance operation, which is illegal in many countries.
But mSpy’s Zendesk data breach revealed that its parent company was a Ukrainian tech company called Brainstack.
Brainstack’s website doesn’t mention mSpy. Like its publicly available job listings, Brainstack only refers to its work on an unspecified “parental control” app. But internal Zendesk data shows that Brainstack is closely and extensively involved in mSpy’s operations.
In the data leaked by Zendesk, TechCrunch found records containing information about dozens of employees with Brainstack email addresses. Many of these employees were involved in mSpy customer support, such as answering customer questions and refund requests.
The leaked Zendesk data contains the real names and in some cases phone numbers of Brainstack employees, as well as the fake names they used to respond to mSpy customer tickets to hide their own identities.
Contacted by TechCrunch, two Brainstack employees confirmed their names as they appeared in the leaked documents, but declined to discuss their work with Brainstack.
Brainstack CEO Volodymyr Sitnikov and CEO Katerina Yurchuk did not respond to multiple emails seeking comment before publication. Instead, a Brainstack representative, who did not give his name, did not dispute our report but declined to provide answers to a list of questions sent to company executives.
It’s unclear exactly how the Zendesk instance of mSpy was compromised or by whom. The flaw was first disclosed by Swiss hacker Maia Arson Crimew, and the data was later made available to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest.
Reached for comment, Zendesk spokesperson Courtney Blake told TechCrunch, “At this time, we have no evidence that Zendesk has suffered a compromise of its platform,” but would not comment on whether mSpy’s use of Zendesk to support its spyware operations violated its terms of service.
“We are committed to upholding our policies regarding user content and conduct and investigating allegations of violations appropriately and in accordance with our established procedures,” the spokesperson said.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) offers free, confidential support 24 hours a day, 7 days a week to victims of domestic violence and abuse. If you are in an emergency situation, call 911. Coalition Against Harassment Software has resources if you suspect your phone has been compromised by spyware.