mSpy: Data leak again exposes millions of stalkerware customers

The provider of the surveillance app mSpy is once again struggling with a massive data leak. The leak, which covers several hundred gigabytes, exposes several million users from Europe, India, Japan and North and South America who have gained access to the commercially available spyware over the past ten years, reports TechCrunch. According to the online magazine, it has viewed the sensitive information obtained by "unknown attackers" "independently" of the cybercriminals. The gang is said to have stolen millions of customer support tickets from mSpy in May 2024. These included names, support emails and attachments, including personal documents such as identification. This makes it clear who wanted to shadow third parties using the application.

Among other things, mSpy logs websites visited, text messages, emails and calendar entries. Target persons can be located via GPS. The premium version even automatically sounds an alarm if the device being spied on leaves a certain radius of movement.

For a long time, it was unclear who was behind the app. According to the report, it is now clear from the compromised data that the operator and owner is the Ukrainian company Brainstack. The company advertises mSpy on a German marketing site "as the best cell phone tracking app for parental control". For a small subscription fee, customers regain their "peace of mind" and no longer have to lie awake at night. However, such apps are mainly considered stalkerware, as jealous partners in particular use them to monitor their better half without consent.

mSpy repeatedly struggles with data leaks

According to TechCrunch, the data leak includes records dating back to 2014 from the spyware maker's Zendesk-based customer support system. Some of these emails and messages included requests from several high-ranking members of the US military, a sitting judge of a US federal appeals court, a US departmental regulator and the sheriff's office of an Arkansas county. Some of these were requests for a free license to test the app. The total number of mSpy users is likely to be significantly higher, as not all of them contacted customer service. Potentially affected users can use the Have I Been Pwned platform to find out whether their email address is part of the data breach.

As early as 2015, unknown persons shared several hundred gigabytes of personal data of mSpy customers and their victims on the dark web. In 2018, there was another report that millions of confidential data from the monitoring service had been leaked online, including passwords, call logs, text messages, contacts, notes and location data. It is unclear to what extent the new breach involves more recent information or how much of it is recent.

(nie)