mSpy, a phone surveillance app provider, has fallen victim to a substantial data breach, exposing millions of customer support tickets and sensitive personal information. This breach, which occurred in May 2024, has compromised about 100 GB of data dating back to 2014, revealing the extensive customer base and operations of the Ukraine-based company Brainstack, the entity behind mSpy.
The cybersecurity incident resulted in the unauthorised access and exfiltration of many customer assistance logs from the company’s online support platform. The compromised data encompassed various sensitive materials, including personal documentation, email exchanges, and attached files that chronicled interactions between users and the company’s customer service representatives, reports TechCrunch.
The exposed information included correspondence from high-ranking United States military members, a senior judicial figure from a federal appellate court, and various branches of the U.S. government, including law enforcement agencies.
This revelation has revealed the widespread use of surveillance software, which extends beyond private citizens to include governmental bodies and officials in positions of authority.
The unauthorised disclosure of information has inadvertently revealed the company’s far-reaching international clientele. The exposed data indicates that users of this surveillance software are spread across multiple continents, including various European countries, South American regions, India, the United Kingdom, Japan, and throughout the United States.
The sheer volume of compromised information is staggering, with the total data surpassing 100 GB. This extensive cache includes many individual customer support interactions and associated email addresses.
Using spyware like mSpy for unauthorised surveillance is illegal, and U.S. prosecutors have previously taken action against spyware manufacturers. The leaked emails reveal that mSpy was well aware of the illicit use of its software. Some customers sought assistance in secretly monitoring others’ phones, while others requested help in removing the spyware after being discovered.
In the wake of this significant data exposure, the affected company and its parent organisation have yet to issue any public statement or acknowledgement regarding the incident. This silence is particularly concerning given the highly sensitive nature of the compromised information.
Troy Hunt, an independent cybersecurity researcher known for operating Have I Been Pwned, has verified the leak’s authenticity. The expert’s website has incorporated over 2 million unique email addresses from the exposed dataset, allowing individuals to check if their information was compromised.
However, it’s important to note that this figure likely represents only a fraction of the company’s total user base, as the leaked data primarily consists of individuals who contacted customer support.
The company’s lack of official response raises questions about corporate responsibility and transparency in the face of major security incidents. It also highlights the challenges in accurately assessing the full extent of such breaches, as the true scale of affected users may be significantly larger than what the leaked support records suggest.
In the News: Signal finally fixes the encryption key flaw in the Desktop app
