Data breach exposes millions of mSpy spyware customers

A data breach into phone surveillance operation mSpy has exposed millions of customers who bought access to the phone spyware app over the past decade, as well as the Ukrainian company behind it.

In May 2024 unknown attackers stole millions of customer support tickets from mSpy, including personal information, emails to support, and attachments including personal documents. While hacking of spyware providers is becoming increasingly common, they remain notable due to the highly sensitive personal information often included in the data, in this case about customers who use the service.

The hack included customer service records dating back to 2014, stolen from the spyware maker’s ZenDesk-powered customer support system.

mSpy is a phone surveillance app that promotes itself as a way to track children or monitor employees. Like most spyware, it is widely used to monitor people without their consent. Such apps are also known as “stalkerware” because people in romantic relationships often use them to monitor their partner without consent or permission.

The mSpy app allows the person installing the spyware, usually someone who already has physical access to the victim’s phone, to remotely view the phone’s contents in real time.

As is common with phone spyware, mSpy’s customer records include emails from people seeking help in discreetly tracking the phones of their partners, relatives, or children, according to TechCrunch’s review of the data, which we independently obtained. Some of these emails and messages include requests for customer support from several senior US military personnel, a serving US federal appeals court judge, a US government department watchdog, and an Arkansas county sheriff’s office asking for a free license to test the app.

Even after collecting several million customer service tickets, the leaked Zendesk data is believed to represent only a portion of mSpy’s overall customer base that reached out for customer support. The number of mSpy customers is likely far higher.

However, even more than a month after the breach, mSpy’s owners, a Ukraine-based company called Brainstack, have not acknowledged the breach or publicly disclosed it.

Troy Hunt, who runs data breach notification site Have I Been Pwned, obtained a copy of the entire leaked dataset, and added approximately 2.4 million unique email addresses of mSpy customers to his site’s list of past data breaches.

Hunt told TechCrunch that he contacted several of Have I Been Pwned’s customers about the leaked data, who confirmed that the leaked data was accurate.

mSpy is the latest phone spyware operation to be hacked in recent months, according to a recent list compiled by TechCrunch. The mSpy breach shows once again that spyware makers can’t be trusted to keep their data safe – whether it’s their customers’ or their victims’.

Millions of mSpy customer messages

TechCrunch analyzed the leaked dataset — containing more than 100 gigabytes of Zendesk records — which included millions of individual customer service tickets and their associated email addresses, as well as the contents of those emails.

Some of the email addresses belong to unwitting victims who were targeted by an mSpy customer. The data also shows that some journalists contacted the company for comment after its last known breach in 2018. And, on several occasions, US law enforcement agents filed or sought to file subpoenas and legal demands with mSpy. In one case after a brief email exchange, an mSpy representative provided billing and address information about an mSpy customer – an alleged criminal suspect in a kidnapping and murder case – to an FBI agent.

Each ticket in the dataset contained an array of information about the people who contacted mSpy. In many cases, the data also included their approximate location based on the IP address of the sender’s device.

TechCrunch analyzed where mSpy’s contacted customers are located by extracting all location coordinates from the dataset and plotting the data in an offline mapping tool. The results show that mSpy’s customers are located all over the world, including large clusters in Europe, India, Japan, South America, the United Kingdom, and the United States.

Buying spyware itself is not illegal, but it is illegal to sell or use spyware to spy on someone without their consent. U.S. prosecutors have charged spyware manufacturers in the past, and federal authorities and state watchdogs have banned spyware companies from the surveillance industry, because spyware poses cybersecurity and privacy risks. Customers who install spyware may also face prosecution for violating wiretapping laws.

Emails in the leaked Zendesk data show that mSpy and its operators are well aware of what customers use the spyware for, including monitoring phones without the person’s knowledge. Some requests cite customers asking how they can remove mSpy from their partner’s phone after their spouse finds out. The dataset also raises questions about the use of mSpy by US government officials and agencies, police departments, and the judiciary, as it is unclear whether due process of law was followed in any of the uses of the spyware.

According to the data, one of these email addresses belongs to Kevin Newsom, a serving appellate judge on the US Court of Appeals for the Eleventh Circuit covering Alabama, Georgia, and Florida, who used his official government email to request a refund from mSpy.

Kate Adams, director of workplace relations for the US Court of Appeals for the Eleventh Circuit, told TechCrunch: “Judge Newsom used it entirely in his personal capacity to address a family matter.” Adams declined to answer specific questions about the judge’s use of mSpy or whether the subjects of Newsom’s surveillance consented.

The dataset also appears to be of interest to US officials and law enforcement agencies. In an email sent by an employee of the Social Security Administration’s Office of Inspector General, a watchdog overseeing the federal agency, the watchdog asked an mSpy representative if the watchdog “could use this.” [mSpy] with people involved in some of our criminal investigations,” without specifying how.

When contacted by TechCrunch, a spokesperson for the Social Security Administration’s inspector general had no comment on why the employee inquired about mSpy on the agency’s behalf.

The Arkansas County Sheriff’s Department sought a free trial of mSpy, ostensibly to provide a demo of the software to neighborhood parents. That sergeant did not respond to TechCrunch’s question about whether they were authorized to contact mSpy.

The company behind mSpy

This is the third known case of mSpy data breach since the company was founded in 2010. mSpy is one of the longest running phone spyware operations, which is why it has garnered so many customers.

Despite its size and reach, mSpy’s operators have remained hidden from public view and largely avoided scrutiny until now. It’s not uncommon for spyware makers to conceal the real-world identities of their employees to protect the company from the legal and reputational risks associated with running a global phone surveillance operation, which is illegal in many countries.

But mSpy’s Zendesk data breach exposed its parent company, a Ukrainian tech company called Brainstack.

There is no mention of mSpy on Brainstack’s website. Like its public open job postings, Brainstack only mentions its work on an unspecified “parental control” app. But internal Zendesk data dumps show that Brainstack is extensively and intimately involved in mSpy’s operations.

In the leaked Zendesk data, TechCrunch found records containing information about dozens of employees with Brainstack email addresses. Many of these employees were involved with mSpy customer support, such as answering customer questions and requests for refunds.

The leaked Zendesk data includes the real names and, in some cases, phone numbers of Brainstack employees, as well as false names they used when responding to mSpy customer tickets to conceal their identities.

When contacted by TechCrunch, two Brainstack employees confirmed their names as found in the leaked records, but declined to discuss their work with Brainstack.

Brainstack Chief Executive Volodymyr Sitnikov and senior executive Kateryna Yurchuk did not respond to multiple emails seeking comment before publication. Instead, a Brainstack representative who asked not to be named did not dispute our reporting but declined to answer a list of questions for company executives.

It is unclear how or by whom mSpy’s Zendesk instance was compromised. The breach was first disclosed by Switzerland-based hacker Maya Aaron Crime, and the data was later made available to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest.

When reached for comment, Zendesk spokesperson Courtney Blake told TechCrunch: “At this time, we have no evidence that Zendesk has had its platform compromised,” but did not say whether mSpy’s use of Zendesk for its spyware operations was a violation of its terms of service.

“We are committed to upholding our user content and conduct policies and investigating allegations of violations appropriately and in accordance with our established procedures,” the spokesperson said.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential support 24/7 to victims of domestic abuse and violence. If you are in an emergency, call 911. Coalition Against Stalkerware If you think your phone has been infected with spyware, we have resources.