The widely used phone spyware application, mSpy, has recently fallen victim to a massive data breach, exposing the confidential information of millions of its customers. This breach, which was disclosed by Switzerland-based hacker Maia Arson Crimew, involved the leak of over 100 gigabytes of Zendesk records. These records contained a plethora of individual customer service tickets, email addresses, and the contents of those emails.
The leaked data revealed that mSpy’s customers are dispersed globally, with significant clusters in Europe, India, Japan, South America, the United Kingdom, and the United States. Troy Hunt, the operator of the data breach notification site Have I Been Pwned, confirmed the accuracy of the leaked data by adding about 2.4 million unique email addresses of mSpy customers to his site’s database.
This breach has sparked serious concerns regarding the security and ethical implications of spyware applications. It sheds light on the risks associated with spyware applications, which are often promoted for parental control but can be easily misused for unauthorized surveillance.
The leaked data not only included customer information but also details of unsuspecting individuals who were targeted by mSpy users. Analysis of the dataset revealed that some journalists had reached out to mSpy following a previous breach in 2018. Additionally, U.S. law enforcement agents had either filed or intended to file subpoenas and legal demands with mSpy. The leaked emails also showed instances of mSpy’s operators being aware of the spyware’s misuse.
Brainstack, the Ukrainian tech company behind mSpy, has opted to remain largely silent about the breach. Despite the substantial customer base, Brainstack has not publicly acknowledged the incident. The leaked Zendesk data exposed Brainstack’s involvement in mSpy’s operations, showcasing records of employees using false names to respond to customer inquiries.
When contacted by TechCrunch, Brainstack employees verified their names as found in the leaked records but refrained from discussing their work. Brainstack’s CEO, Volodymyr Sitnikov, and senior executive, Kateryna Yurchuk, did not respond to multiple requests for comment. A Brainstack representative declined to answer questions but did not challenge the reporting.
Zendesk, the platform utilized by mSpy for customer support, claimed to have found no evidence of a compromise on their platform. However, they did not clarify whether mSpy’s use of Zendesk violated their terms of service.
The breach serves as a stark reminder of the vulnerabilities and ethical concerns surrounding spyware applications. With the compromised data of millions of customers at stake, this incident underscores the necessity for more stringent regulations and oversight of spyware operations. As authorities and watchdogs delve deeper into the matter, the breach highlights the potential dangers associated with surveillance technology.