A data breach at the phone surveillance operation mSpy has exposed millions of its customers who bought access to the phone spyware app over the past decade, as well as the Ukrainian company behind it.
Unknown attackers stole millions of customer support tickets, including personal information, emails to support, and attachments, including personal documents, from mSpy in May 2024. While hacks of spyware purveyors are becoming increasingly common, they remain notable because of the highly sensitive personal information often included in the data, in this case about the customers who use the service.
The hack encompassed customer service records dating back to 2014, which were stolen from the spyware maker’s Zendesk-powered customer support system.
mSpy is a phone surveillance app that promotes itself as a way to track children or monitor employees. Like most spyware, it is also widely used to monitor people without their consent. These kinds of apps are also known as “stalkerware” because people in romantic relationships often use them to surveil their partner without consent or permission.
The mSpy app allows whoever planted the spyware, typically someone who previously had physical access to a victim’s phone, to remotely view the phone’s contents in real-time.
As is common with phone spyware, mSpy’s customer records include emails from people seeking help to surreptitiously track the phones of their partners, relatives, or children, according to TechCrunch’s review of the data, which we independently obtained. Some of those emails and messages include requests for customer support from several senior-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department’s watchdog, and an Arkansas county sheriff’s office seeking a free license to trial the app.
Even after amassing several million customer service tickets, the leaked Zendesk data is thought to represent only the portion of mSpy’s overall customer base who reached out for customer support. The number of mSpy customers is likely to be far higher.
Yet more than a month after the breach, mSpy’s owners, a Ukraine-based company called Brainstack, have not acknowledged or publicly disclosed the breach.
Troy Hunt, who runs data breach notification site Have I Been Pwned, obtained a copy of the full leaked dataset, adding about 2.4 million unique email addresses of mSpy customers to his site’s catalog of past data breaches.
Hunt told TechCrunch that he contacted several Have I Been Pwned subscribers with information from the breached data, who confirmed to him that the leaked data was accurate.
mSpy is the latest phone spyware operation in recent months to have been hacked, according to a recently compiled list by TechCrunch. The breach at mSpy shows once again that spyware makers cannot be trusted to keep their data secure — either that of their customers or their victims.
Millions of mSpy customer messages
TechCrunch analyzed the leaked dataset — more than 100 gigabytes of Zendesk records — which contained millions of individual customer service tickets and their corresponding email addresses, as well as the contents of those emails.
Some of the email addresses belong to unwitting victims who were targeted by an mSpy customer. The data also shows that some journalists contacted the company for comment following the company’s last known breach in 2018. And, on several occasions, U.S. law enforcement agents filed or sought to file subpoenas and legal demands with mSpy. In one case following a brief email exchange, an mSpy representative provided the billing and address information about an mSpy customer — an alleged criminal suspect in a kidnapping and homicide case — to an FBI agent.
Each ticket in the dataset contained an array of information about the people contacting mSpy. In many cases, the data also included their approximate location based on the IP address of the sender’s device.
TechCrunch analyzed where mSpy’s contacting customers were located by extracting all of the location coordinates from the dataset and plotting the data in an offline mapping tool. The results show that mSpy’s customers are located all over the world, with large clusters across Europe, India, Japan, South America, the United Kingdom, and the United States.
Buying spyware is not itself illegal, but selling or using spyware for snooping on someone without their consent is unlawful. U.S. prosecutors have charged spyware makers in the past, and federal authorities and state watchdogs have banned spyware companies from the surveillance industry, citing the cybersecurity and privacy risks that the spyware creates. Customers who plant spyware can also face prosecution for violating wiretapping laws.
The emails in the leaked Zendesk data show that mSpy and its operators are acutely aware of what customers use the spyware for, including monitoring of phones without the person’s knowledge. Some of the requests cite customers asking how to remove mSpy from their partner’s phone after their spouse found out. The dataset also raises questions about the use of mSpy by U.S. government officials and agencies, police departments, and the judiciary, as it is unclear if any use of the spyware followed a legal process.
According to the data, one of the email addresses pertains to Kevin Newsom, a serving appellate judge for the U.S. Court of Appeals for the Eleventh Circuit across Alabama, Georgia, and Florida, who used his official government email to request a refund from mSpy.
Kate Adams, the director of workplace relations for the U.S. Court of Appeals for the Eleventh Circuit, told TechCrunch: “Judge Newsom’s use was entirely in his personal capacity to address a family matter.” Adams declined to answer specific questions about the judge’s use of mSpy or whether the subject of Newsom’s surveillance consented.
The dataset also shows interest from U.S. authorities and law enforcement. An email from a staffer at the Office of the Inspector General for the Social Security Administration, a watchdog tasked with oversight of the federal agency, asked an mSpy representative if the watchdog could “utilize [mSpy] with some of our criminal investigations,” without specifying how.
When reached by TechCrunch, a spokesperson for the Social Security Administration’s inspector general did not comment on why the staffer inquired about mSpy on behalf of the agency.
The Arkansas County sheriff’s department sought free trials of mSpy, ostensibly for providing demos of the software to neighborhood parents. That sergeant did not respond to TechCrunch’s question about whether they were authorized to contact mSpy.
The company behind mSpy
This is the third known mSpy data breach since the company began in around 2010. mSpy is one of the longest-running phone spyware operations, which is in part how it accumulated so many customers.
Despite its size and reach, mSpy’s operators have remained hidden from public view and have largely evaded scrutiny — until now. It’s not uncommon for spyware makers to conceal the real-world identities of their employees to shield the company from legal and reputational risks associated with running a global phone surveillance operation, which is illegal in many countries.
But the data breach of mSpy’s Zendesk data exposed its parent company as a Ukrainian tech company called Brainstack.
Brainstack’s website does not mention mSpy. Much like its public open job postings, Brainstack only refers to its work on an unspecified “parental control” app. But the internal Zendesk data dump shows Brainstack is extensively and intimately involved in mSpy’s operations.
In the leaked Zendesk data, TechCrunch found records containing information about dozens of employees with Brainstack email addresses. Many of these employees were involved with mSpy customer support, such as responding to customer questions and requests for refunds.
The leaked Zendesk data contains the real names and in some cases the phone numbers of Brainstack employees, as well as the false names that they used when responding to mSpy customer tickets to hide their own identities.
When contacted by TechCrunch, two Brainstack employees confirmed their names as they were found in the leaked records, but declined to discuss their work with Brainstack.
Brainstack chief executive Volodymyr Sitnikov and senior executive Kateryna Yurchuk did not respond to multiple emails requesting comment prior to publication. Instead, a Brainstack representative, who did not provide their name, did not dispute our reporting but declined to provide answers to a list of questions for the company’s executives.
It’s not clear how mSpy’s Zendesk instance was compromised or by whom. The breach was first disclosed by Switzerland-based hacker maia arson crimew, and the data was subsequently made available to DDoSecrets, a nonprofit transparency collective that indexes leaked datasets in the public interest.
When reached for comment, Zendesk spokesperson Courtney Blake told TechCrunch: “At this time, we have no evidence that Zendesk has experienced a compromise of its platform,” but would not say if mSpy’s use of Zendesk for supporting its spyware operations violated its terms of service.
“We are committed to upholding our User Content and Conduct Policy and investigate allegations of violations appropriately and in accordance with our established procedures,” the spokesperson said.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Comment