A data breach at cell phone surveillance outfit mSpy exposed the information of millions of customers who purchased access to the phone spyware app over the past decade, as well as the Ukrainian company behind it.
In May 2024, unknown attackers stole millions of customer support tickets from mSpy, including attachments containing personal information, support emails, and personal documents. Hacks of spyware vendors are becoming more common, but this case is still noteworthy because the data often contains highly sensitive personal information about customers who use their services.
The hack included customer service records from the spyware creator's Zendesk-based customer support system dating back to 2014.
mSpy is a phone monitoring app that is marketed as a way to track children or monitor employees. Like most spyware, it is widely used to monitor people without their consent. This type of app is also known as “stalkerware” because people in romantic relationships often use it to monitor their partners without their consent or permission.
The mSpy app allows the person who installed the spyware, usually someone who previously had physical access to the victim's phone, to remotely view the contents of the phone in real time.
According to data obtained independently by TechCrunch, as is common with phone spyware, mSpy’s customer records contain emails from people asking for help in secretly tracking the phones of their partners, relatives, or children. Some of these emails and messages include several high-ranking U.S. military personnel, a sitting U.S. Federal Appeals Court judge, a U.S. government watchdog, and a customer support request from an Arkansas County Sheriff’s Office requesting a license to try the app for free.
Even after collecting millions of customer service tickets, the leaked Zendesk data is believed to represent only a small portion of mSpy’s overall customer base who have requested customer support. The number of mSpy customers is likely much higher.
But more than a month after the breach, mSpy's owner, Ukraine-based Brainstack, has yet to acknowledge or publicly disclose the breach.
Troy Hunt, who runs the data breach notification site Have I Been Pwned, obtained a copy of the entire leaked data set and added approximately 2.4 million unique email addresses of mSpy customers to his site’s catalog of past data breaches.
Hunt told TechCrunch that he passed along information gleaned from the leaked data to several Have I Been Pwned subscribers, who confirmed that the leaked data was accurate.
According to a recent list compiled by TechCrunch, mSpy is the latest phone spyware operation to be hacked in recent months. The mSpy breach once again shows that spyware makers are not good at keeping their customers’ or victims’ data safe.
Millions of mSpy customer messages
TechCrunch analyzed the leaked data set, which contained over 100 gigabytes of Zendesk records, including millions of individual customer service tickets, their corresponding email addresses, and the content of those emails.
Some of the email addresses belong to unwitting victims targeted by mSpy customers. The data also shows that some journalists have contacted the company for comment since the company’s last breach in 2018. And on several occasions, US law enforcement agents have served or attempted to serve subpoenas and legal demands on mSpy. In one case, after a brief email exchange, an mSpy representative provided FBI agents with the billing and address information of an alleged mSpy customer who was a suspect in a kidnapping and murder case.
Each ticket in the data set contains an array of information about the person who contacted mSpy. In many cases, the data also included the approximate location based on the IP address of the caller’s device.
TechCrunch extracted all location coordinates from the dataset and plotted the data in an offline mapping tool to analyze where mSpy’s contact customers are located. The results show that mSpy’s customers are located all over the world, with large clusters in Europe, India, Japan, South America, the UK, and the US.
While buying spyware itself is not illegal, selling or using spyware without someone’s consent is. U.S. prosecutors have prosecuted spyware creators in the past, and federal and state surveillance agencies have banned spyware companies from the surveillance industry, citing cybersecurity and privacy risks posed by spyware. Customers who install spyware can also be prosecuted for violating wiretapping laws.
The leaked Zendesk data emails show that mSpy and its operators are keenly aware of what customers are using the spyware for, namely monitoring their phones without their knowledge. Some of the requests are about how customers can remove mSpy from their partner’s phone after the spouse finds out. The data set also raises questions about the use of mSpy by US government officials and agencies, police departments, and the judiciary, as it is unclear whether the spyware use is legally enforced.
According to the data, one of the email addresses belongs to Kevin Newsom, an appellate judge for the 11th Circuit Court of Appeals, which covers Alabama, Georgia, and Florida, who used an official government email to request a refund from mSpy.
Kate Adams, director of workplace relations for the 11th Circuit Court of Appeals, told TechCrunch that “Judge Newsom’s use was entirely in his personal capacity to address family matters.” Adams did not respond to specific questions about the judge’s use of mSpy or whether Newsom’s subjects consented.
The data set also shows interest from U.S. authorities and law enforcement. An email from an employee of the Social Security Administration’s Office of the Inspector General, the watchdog agency that oversees federal agencies, asks an mSpy representative if “(mSpy) could be utilized in some criminal investigations,” but does not specify how.
When TechCrunch reached out to a spokesperson for the Social Security Administration’s Office of the Inspector General, the employee would not comment on why she was inquiring about mSpy on behalf of the agency.
The Arkansas County Sheriff’s Office requested a free trial of mSpy to provide neighborhood parents with a demo of the software. The sheriff did not respond to TechCrunch’s inquiry about whether he had the authority to contact mSpy.
The company that made mSpy
This is the third known mSpy data breach since the company began operations around 2010. mSpy is one of the longest-running phone spyware companies, which has allowed it to gain a lot of customers.
Despite its size and scope, mSpy’s operators have remained hidden from public view and have largely escaped surveillance until now. It is not uncommon for spyware makers to hide the real identities of their employees to protect their companies from the legal and reputational risks associated with running a global phone surveillance operation, which is illegal in many countries.
However, mSpy's Zendesk data leak revealed that its parent company is a Ukrainian tech company called Brainstack.
Brainstack’s website doesn’t mention mSpy. Brainstack only mentions work on an unspecified “parental control” app, as does its public job posting. However, Zendesk’s internal data dumps show that Brainstack is extensively and closely involved in mSpy’s operations.
In leaked Zendesk data, TechCrunch found records containing information about dozens of employees with Brainstack email addresses, many of whom were involved in mSpy customer support, including responding to customer questions and refund requests.
The leaked Zendesk data included real names and, in some cases, phone numbers of Brainstack employees, as well as pseudonyms they used to hide their identities when responding to mSpy customer tickets.
Two Brainstack employees who responded to TechCrunch's inquiries confirmed their names in the leaked records, but declined to discuss their work with Brainstack.
Brainstack CEO Volodymyr Sitnikov and senior executive Kateryna Yurchuk did not respond to multiple emails requesting comment before publication. Instead, an unnamed Brainstack representative did not dispute our reporting but declined to answer a list of questions for the company’s executives.
It is unclear how or by whom mSpy’s Zendesk instance was compromised. The breach was first disclosed by Swiss-based hacker Maia Arson Crimew, and the data was later released to DDoSecrets, a non-profit transparency group that indexes leaked data sets for the public good.
When reached for comment, Zendesk spokesperson Courtney Blake told TechCrunch, “At this time, Zendesk has no evidence that any of its platforms were compromised,” but would not comment on whether mSpy’s use of Zendesk to support its spyware operation violated its terms of service.
“We adhere to our User Content and Conduct Policy and are committed to investigating alleged violations appropriately and in accordance with our established procedures,” the spokesperson said.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential support 24 hours a day, 7 days a week to victims of domestic violence and abuse. If it’s an emergency, call 911. Coalition Against Stalkerware If you think your phone is infected with spyware, free up resources.
