A data leak at phone monitoring service mSpy has exposed millions of customers who purchased access to phone spyware apps over the past decade, and the Ukrainian company behind them.
In May 2024, unknown attackers stole millions of customer support tickets from mSpy, including attachments such as personal information, emails to support, and personal documents. Hacking of spyware providers is becoming increasingly common, but it still attracts attention because the data often contains highly sensitive personal information – in this case, information about customers who use the service.
The hack included customer service records dating back to 2014 that were stolen from a customer support system powered by spyware maker Zendesk.
mSpy is a phone monitoring app that is advertised as a way to track children and monitor employees. Like most spyware, this app is widely used to monitor people without their consent. This type of app is also known as “stalkerware” because it is often used by people in romantic relationships to spy on their partners without their consent or permission.
The mSpy app allows the spyware planter (usually someone who has had physical access to the victim's phone) to remotely view the contents of the phone in real time.
As is common with phone spyware, mSpy customer records contain emails from people seeking assistance in secretly tracking the phones of partners, relatives, and children, according to an exclusive review of the data by TechCrunch. These emails and messages include customer support requests from multiple senior U.S. military officials, a sitting U.S. federal appeals court judge, a U.S. government watchdog, and an Arkansas county sheriff's office seeking a free trial license for the app.
Even after collecting millions of customer service tickets, the leaked Zendesk data likely represents only a portion of mSpy's entire customer base who contacted customer support, and the number of mSpy customers is likely much higher.
However, more than a month after the leak, mSpy's owner, Ukraine-based Brainstack, has yet to acknowledge or publicly disclose the breach.
Troy Hunt, who runs the data breach notification site Have I Been Pwned, obtained a copy of the entire leaked dataset and added approximately 2.4 million unique email addresses of mSpy customers to the site's catalogue of past data breaches.
Hunt told TechCrunch that he contacted several “Have I Been Pwned” subscribers with information about the breached data, and that the leaked data was confirmed to be accurate.
According to a list recently compiled by TechCrunch, mSpy is the latest cell phone spyware campaign to be hacked in recent months. The mSpy breach shows once again that spyware makers can hardly trust their customers' and victims' data to be kept safe.
Millions of mSpy customer messages
TechCrunch analyzed the leaked dataset – more than 100GB of Zendesk records – which included millions of individual customer service tickets and their corresponding email addresses, as well as the content of those emails.
Some of the email addresses belonged to unwitting victims targeted by mSpy customers. The data also shows that several journalists contacted the company for comment after the company's last leak in 2018. US law enforcement agencies have also served or attempted to serve subpoenas and legal demands on mSpy on several occasions. In one case, after a brief email exchange, an mSpy representative provided FBI agents with billing and address information for an mSpy customer who was allegedly a suspect in a kidnapping and murder case.
Each ticket in the dataset contained a set of information about the people who contacted mSpy, and in many cases the data also included the sender's approximate location based on the IP address of their device.
TechCrunch analyzed the locations of mSpy's contact customers by extracting all the location coordinates from the dataset and plotting the data with an offline mapping tool. The results show that mSpy customers are located all over the world, with large clusters in Europe, India, Japan, South America, the UK, and the US.
A visualization of location data points from the mSpy database, showing the customer's approximate location. Image credit: TechCrunch
While buying spyware is not illegal, selling it or using it to spy on others without their consent is. U.S. prosecutors have indicted spyware manufacturers in the past, and federal and state watchdogs have barred spyware companies from the surveillance industry, citing the cybersecurity and privacy risks spyware poses. Customers who plant spyware can also be prosecuted for wiretapping violations.
Emails in the leaked Zendesk data show that mSpy and its operators are well aware of what their customers are using the spyware for, including monitoring their phones without their knowledge. Among the requests is a customer asking how to remove mSpy from their partner's phone after their spouse found out. The dataset also raises questions about the use of mSpy by U.S. government officials and agencies, law enforcement, and law enforcement, as it is unclear whether the use of the spyware follows legal procedures.
According to the data, one of the email addresses belonged to Kevin Newsom, a sitting appellate judge on the United States Court of Appeals for the 11th Circuit, which covers Alabama, Georgia, and Florida, who used his official government email address to request a refund from mSpy.
Kate Adams, director of workplace relations for the U.S. Court of Appeals for the Eleventh Circuit, told TechCrunch, “Judge Newsom's use of mSpy was entirely in a personal capacity, addressing a family matter.” Adams did not answer specific questions about the judge's use of mSpy or whether those he monitored consented.
The dataset has also drawn interest from U.S. authorities and law enforcement agencies: An email from an official at the Social Security Administration's Office of Inspector General, the watchdog tasked with oversight of federal agencies, asked an mSpy representative whether the watchdog “could make use of this dataset.” [mSpy] “We will cooperate with parts of our criminal investigation,” he said, without giving specifics.
When TechCrunch reached out to a spokesperson for the Social Security Administration's inspector general, the official declined to comment on why he inquired about mSpy on behalf of the agency.
The Arkansas County Sheriff's Department requested a free trial of mSpy in order to give nearby parents a demo of the software, but a sergeant with the department did not respond to TechCrunch's questions about whether he had the authority to contact mSpy.
The Company Behind mSpy
This is the third known data breach by mSpy since the company was founded around 2010. mSpy is one of the longest-running phone spyware businesses, which is one of the reasons the company has garnered so many customers.
Despite the size and scope of mSpy, its operators have managed to stay out of the public eye and largely escape scrutiny until now. But now they can: It is not uncommon for spyware makers to conceal the real-world identities of their employees to protect their companies from the legal and reputational risks that come with global phone monitoring operations that are illegal in many countries.
However, the mSpy Zendesk data leak revealed that its parent company is a Ukrainian technology company called Brainstack.
Brainstack's website makes no mention of mSpy — as do its public job ads — and only talks about its work on unspecified “parental control” apps. But Zendesk's internal data dump reveals Brainstack's extensive and intimate involvement in mSpy's operations.
TechCrunch found records in the leaked Zendesk data containing information about dozens of employees with Brainstack email addresses, many of whom worked in customer support for mSpy, including responding to customer questions and refund requests.
The leaked Zendesk data includes the real names and, in some cases, phone numbers of Brainstack employees, as well as pseudonyms that employees used to hide their identities when replying to mSpy customer tickets.
When contacted by TechCrunch, two Brainstack employees confirmed that their names appeared in the leaked records but declined to discuss their work at Brainstack.
Brainstack CEO Volodymyr Sitnikov and senior executive Katerina Yurtchuk did not respond to multiple emails seeking comment before publication. Instead, an unnamed Brainstack representative did not dispute our reporting but declined to answer a series of questions for company executives.
It's not clear how mSpy's Zendesk instance was compromised, or by whom. The breach was first revealed by Swiss-based hacker Maia Arson Crimew, who later provided the data to DDoSecrets, a non-profit transparency organization that indexes leaked datasets for the public good.
Reached for comment, Zendesk spokesperson Courtney Blake told TechCrunch that “at this time, there is no evidence that the Zendesk platform has been compromised,” but did not address whether mSpy's use of Zendesk to support its spyware operation violated its terms of service.
“We are committed to upholding our user content and conduct standards and investigating alleged violations appropriately and following established procedures,” the spokesperson said.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) offers free, confidential support to victims of domestic abuse and violence 24/7. In an emergency, call 911. If you believe your phone has been compromised by spyware, the Coalition Against Stalkerware has resources.