Mobile spyware mSpy leaks millions of customer support tickets containing personal data for the third time

Phone monitoring app mSpy has reportedly leaked personal information of millions of users and businesses that purchased access to the app over the past decade. This is the third time mSpy has leaked users' personal information since 2018.

Data breach exposes millions of mSpy spyware customers | TechCrunch
https://techcrunch.com/2024/07/11/mspy-spyware-millions-customers-data-breach/

mSpy is an app that allows you to monitor your children, partners, and subordinates by installing it on their smartphones. The person who installs mSpy can remotely view the contents of the target's cell phone in real time.

This time, a customer support system powered by spyware maker Zendesk was hacked, resulting in the theft of customer service records dating back to 2014. This is not the first time that mSpy has had its users' data leaked, with the information of millions of customers exposed in 2018.

Surveillance app mSpy leaks millions of customer details, second major leak in three years - GIGAZINE

Troy Hunt, who runs the data breach notification siteHave I Been Pwned?, reported that mSpy had leaked 318GB of customer data, including 2.4 million email addresses, customer support ticket subject lines and IP addresses, as well as user records such as credit card photos and nude selfies.

New sensitive breach: mSpy had 2.4M unique email addresses exposed in a 318GB breach last month. Data included name & IP address in user records & support tickets, plus photos of credit cards & nude selfies. 54% were already in @haveibeenpwned . More: https://t.co/3wTQtlBj13

— Have I Been Pwned (@haveibeenpwned) July 11, 2024

In addition, when TechCrunch, an IT news site, analyzed the data, it was found that some of the email addresses leaked were not only those of customers, but also those of people who were being monitored by customers. There was also a record of mSpy staff providing information about users suspected of kidnapping and murder to the FBI.

The data leak revealed that Zendesk's parent company is a Ukrainian technology company called Brainstack. TechCrunch points out that the leaked data included dozens of 'email addresses with Brainstack domains.' It also found that Brainstack employees used pseudonyms when replying to support tickets from mSpy customers.

When TechCrunch reached out to two Brainstack employees, both confirmed that their names were in the leaked data but declined to discuss the nature of their work.

A Zendesk spokesperson told TechCrunch that 'at this time, we have no evidence that the Zendesk platform has been compromised,' but did not say whether the privacy-invasive monitoring app mSpy violates the Zendesk platform's terms of service.

Maia Arson Crimew, the Swiss hacker who first revealed the leak, has provided the leaked dataset to a non-profit transparency organization 'in the public interest.'