Millions of mSpy Spyware App Customers Exposed via Third-Party Zendesk Chat Support

• Customer service emails from the last decade belonging to mSpy were exposed in an unclaimed May breach.
• Almost 2.4 million unique emails from the spyware app database were leaked by hacktivists recently.
• Hackers apparently managed to steal the huge data trove via the Zendesk third-party service.

US-based phone surveillance app mSpy was hit by a data breach that exposed company data and the details of almost 2.4 million of its past-decade customers stolen from the third-party Zendesk service, which offers customer support via chat. Hacktivists managed to obtain and publish this data breach in May 2024, but it has not been claimed yet.

The spyware app owned by Ukraine-based company Brainstack, which has remained hidden and evaded scrutiny until now, is marketed to parents and companies that want to monitor their kids and employees, respectively. However, its wider use is as stalkerware installed on romantic partners’ phones without permission.

Breach notification service Have I Been Pwned verified and added 2,394,179 compromised accounts to its database on July 11. The breach saw some 142 gigabytes of user details and support tickets, as well as 176 gigabytes of over 500 million attachments.

The personal information includes email addresses, IP addresses, names, and private photos like financial transaction screenshots, credit card photos, and nude selfies, while the employee data contains Brainstack workers' real names, work emails, and, in some cases, phone numbers. 

Some customer tickets also included the user’s approximate location, with the dataset analysis showing exposed clients came from Europe, India, Japan, South America, the U.K., and the U.S.

Hacker Maia Arson Crimew first disclosed the security incident and made it available to the nonprofit leaked datasets indexer DDoSecrets. Zendesk declared the chat support service owner has no evidence of a breach. The Brainstack website does not mention mSpy, and the company has not acknowledged or publicly disclosed the leak.