A data breach at the phone surveillance operation mSpy has compromised the personal information of millions of customers who purchased access to the phone spyware app over the past decade, as well as the Ukrainian company behind it.
In May 2024, unknown attackers stole millions of customer support tickets, which included personal information, support emails, and attachments containing personal documents from mSpy. While hacks of spyware vendors are becoming increasingly common, they remain significant due to the highly sensitive personal data involved, including that of the service's customers.
The breach affected customer service records dating back to 2014, stolen from the spyware maker’s Zendesk-powered customer support system.
mSpy is a phone surveillance app marketed as a tool to track children or monitor employees. However, like most spyware, it is frequently used to monitor people without their consent. These apps are also known as "stalkerware" because they are often used by individuals in romantic relationships to surveil their partners without permission.
The mSpy app allows the person who installed the spyware, typically someone with prior physical access to the victim’s phone, to remotely view the phone’s contents in real-time.
As is common with phone spyware, mSpy’s customer records include emails from individuals seeking assistance to secretly track the phones of their partners, relatives, or children. TechCrunch’s review of the data, which was independently obtained, revealed that some emails and messages came from high-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department’s watchdog, and an Arkansas county sheriff’s office requesting a free license to trial the app.
Despite the vast number of customer service tickets leaked, the data is believed to represent only a fraction of mSpy’s total customer base who contacted customer support. The actual number of mSpy customers is likely much higher.