Customer Service Emails Dating Back to 2014 Exposed in May Breach
A significant data breach at mSpy, a phone surveillance operation, has compromised millions of its customers’ data, exposing personal information accumulated over the past decade. The breach also affected the Ukrainian company behind mSpy.
In May 2024, unknown attackers stole millions of customer support tickets, including emails, personal documents, and other sensitive information, from mSpy. While hacks of spyware companies are becoming more common, they are particularly concerning due to the highly sensitive nature of the data involved.
The stolen data includes customer service records dating back to 2014, which were taken from mSpy’s Zendesk-powered support system. mSpy, a phone surveillance app, is marketed for tracking children or monitoring employees but is often used without consent, earning it the label “stalkerware.” The app allows users to remotely view the contents of a phone in real time.
Emails obtained in the breach revealed that some customers sought help to secretly monitor their partners, relatives, or children. Among the customers were senior-ranking U.S. military personnel, a federal appeals court judge, a U.S. government watchdog, and an Arkansas county sheriff’s office seeking a trial of the app.
Despite the severity of the breach, mSpy’s parent company, Brainstack, has not acknowledged or publicly disclosed the incident. The leaked data, obtained by Troy Hunt of “Have I Been Pwned,” included approximately 2.4 million unique email addresses of mSpy customers.
Hunt confirmed the data’s accuracy by contacting several subscribers affected by the breach. This incident is the latest in a series of hacks targeting phone spyware operations, highlighting the inability of these companies to secure sensitive data.
The breached dataset, over 100 gigabytes of Zendesk records, contained millions of customer service tickets and their corresponding email addresses. Some of these emails belonged to unwitting victims targeted by mSpy customers. The data also included emails from journalists and law enforcement agents seeking information or making legal requests.
The emails revealed that mSpy was aware of the nature of its customers’ use of the spyware. Some customers even sought help to remove mSpy from their partners’ phones after being discovered.
This is the third known breach of mSpy’s data since its inception around 2010. Despite its size and reach, mSpy’s operators have largely remained hidden, with Brainstack’s website only referring to an unspecified “parental control” app.
The internal Zendesk data identified Brainstack employees involved in mSpy’s operations, revealing their real names and contact information. However, when contacted, Brainstack employees confirmed their identities but declined to discuss their work.
The exact method of the breach remains unclear, as does the identity of the attackers. The breach was initially disclosed by Swiss hacker maia arson crimew and made available to DDoSecrets, a nonprofit transparency collective. A Zendesk spokesperson stated there is no evidence of a compromise in their platform, though they are investigating the allegations.