mSpy, a phone surveillance app, recently experienced a data breach that exposed millions of its customers and the Ukrainian company behind it. The breach, which occurred in May 2024, involved the theft of customer support tickets containing personal information and documents. This incident is significant because it highlights the sensitive nature of the data involved in spyware operations.
mSpy is primarily marketed as a tool for tracking children or monitoring employees, but it is also commonly used without consent to monitor romantic partners. These types of apps, often referred to as “stalkerware,” allow individuals to remotely view the contents of someone’s phone in real-time. The leaked data revealed that mSpy’s customer records included emails from people seeking help with tracking their partners, relatives, or children. Notably, the dataset contained requests for customer support from high-ranking U.S. military personnel, a federal appeals court judge, a government watchdog, and a sheriff’s office.
It is important to note that the leaked Zendesk data only represents a portion of mSpy’s overall customer base, indicating that the number of customers affected by the breach is likely much higher. However, despite more than a month passing since the incident, mSpy’s owners, a Ukrainian company called Brainstack, have not acknowledged or publicly disclosed the breach.
The breach at mSpy is not an isolated incident; other phone spyware operations have also been targeted recently. This pattern underscores the fact that spyware makers cannot be trusted to secure their customers’ data or protect the privacy of their victims. Buying spyware is not illegal in itself, but using it without consent is unlawful. Spyware companies have faced legal action in the past, and authorities have banned them from the surveillance industry due to cybersecurity and privacy risks.
An analysis of the leaked dataset revealed that mSpy’s customers are located worldwide, with significant clusters in Europe, India, Japan, South America, the UK, and the US. The dataset also raised questions about the use of mSpy by US government officials, law enforcement agencies, police departments, and the judiciary. It remains unclear if any use of the spyware followed a legal process.
Furthermore, the breach exposed the parent company of mSpy, a Ukrainian tech company called Brainstack, which had previously managed to keep its operations hidden. The leaked data revealed that Brainstack employees were extensively involved in mSpy’s customer support, with records containing their real names and phone numbers. However, when contacted for comment, Brainstack’s CEO and senior executive did not respond.
It is currently unknown how mSpy’s Zendesk instance was compromised or by whom. Zendesk, the customer support system used by mSpy, denied any evidence of a compromise on their platform but did not address whether mSpy’s use of their system violated its terms of service.
Overall, the mSpy data breach highlights the risks associated with spyware operations and the need for stricter regulations to protect individuals’ privacy. It also serves as a reminder of the importance of cybersecurity measures and the potential consequences of using spyware without consent.