mSpy, a mobile surveillance and parental-control application owned by Ukraine-based Brainstack, suffered a data breach in May 2024 when unidentified attackers exfiltrated approximately 318 gigabytes of data from mSpy's Zendesk-powered customer support system, including customer support tickets dating back to 2014. The leaked dataset was made publicly available in June 2024 by hacker Maia Arson Crimew through the nonprofit transparency collective DDoSecrets, and was independently verified by TechCrunch and other security researchers. The breach was indexed by Have I Been Pwned on July 11, 2024. Despite extensive public reporting, mSpy and parent company Brainstack did not publicly acknowledge the breach.

The breach affected approximately 2,394,179 unique customer email addresses based on records indexed by Have I Been Pwned. Compromised data included email addresses, IP addresses, names, customer support ticket conversations, photographs, and more than 500,000 attachments totaling 176 gigabytes. The attachments included screenshots of financial transactions, photographs of credit cards (some partially obfuscated), and nude selfies (predominantly of women), apparently included in customer support requests for various reasons. The customer support tickets themselves contained extensive disclosures about the customers' surveillance activities, including requests for help installing mSpy on partners', children's, and employees' devices and instructions on how to remove mSpy from a partner's phone after the spouse discovered the surveillance. The dataset also exposed information about Brainstack employees, including real names and false names used when responding to customer tickets, providing significant insight into the operational structure of the company.

For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being monitored), inclusion in the dataset confirms a surveillance relationship that was likely established without consent, with the U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware providing resources for affected individuals. For customers, inclusion in the dataset confirms participation in a stalkerware operation, with potential employment, relationship, and legal consequences that vary by jurisdiction; customers in U.S. military, judicial, government, or law enforcement roles whose participation has been documented may face additional security clearance and professional consequences. Some affected emails belong to journalists who contacted mSpy and to U.S. law enforcement filing legal demands rather than to customers. The exposure of nude selfies and credit card photographs creates additional payment-fraud and intimate-image-extortion risk. Affected customers who provided credit card information to mSpy should monitor card statements and consider replacement cards. Affected users who receive extortion attempts should not pay ransom demands because payment does not stop further extortion.

Stalkerware platforms collect customer identity, billing records, target-device identifiers, monitoring settings, and exfiltrated device activity tied to covert phone surveillance.

The 2024 mSpy breach was the third documented mSpy security incident, following earlier breaches in 2015 and 2018. mSpy and parent company Brainstack did not publicly acknowledge or disclose the 2024 breach, even after more than a month had passed and the dataset had been verified by TechCrunch and other independent security researchers. The leaked dataset was disclosed by hacker Maia Arson Crimew (the same researcher who documented the pcTattletale breach) and made available to the nonprofit transparency collective DDoSecrets. Have I Been Pwned indexed the breach on July 11, 2024 with 2,394,179 unique email addresses. The breach is particularly notable for revealing the involvement of senior U.S. government and law enforcement personnel as mSpy customers, including senior-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department's watchdog, and an Arkansas county sheriff's office.