mSpy, a mobile surveillance and parental-control application operating from 2010 onward, suffered a data breach in May 2015 when unidentified attackers exfiltrated several hundred gigabytes of data from mSpy's systems and posted it to a Tor-based hidden service after mSpy reportedly refused to pay an extortion demand. The breach was first reported by security journalist Brian Krebs (KrebsOnSecurity) on May 14, 2015 after Krebs received an anonymous link pointing to the Tor-hosted data. The breach was indexed by Have I Been Pwned on May 28, 2015. mSpy initially denied the breach but the legitimacy of the leaked data was confirmed by Brian Krebs through direct contact with affected mSpy customers whose information appeared in the dataset.

The breach affected approximately 700,000 unique customer records based on records indexed by Have I Been Pwned, with hackers claiming the dataset included data on more than 400,000 users with payment details on approximately 145,000 successful transactions. Compromised data included Apple IDs and passwords, tracking data, payment information, photos, calendar data, corporate email threads, private conversations, and approximately four million logged surveillance events captured by the mSpy software. The dataset also included thousands of customer support request emails from people around the world who paid between approximately $8.33 and $799 for various mSpy subscription tiers. Critically, the leaked data included surveillance content captured from monitored target devices in addition to customer-account data, exposing both populations.

For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being monitored), the breach exposed live and historical device data including photos, communications, calendar entries, and personal conversations that may have been collected without their knowledge or consent. Many targets are likely domestic-violence victims and individuals whose partners, family members, or employers installed the software covertly. The U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware provide resources for individuals who suspect they may have been monitored. For customers (the people who purchased mSpy to surveil others), the breach exposed their identification as someone who purchased and used surveillance software, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target. Affected customers who provided Apple ID credentials should immediately change those passwords, enable two-factor authentication on their Apple Account, and review and remove unrecognized devices from their account because the Apple ID exposure may extend beyond mSpy itself. Affected users who receive extortion attempts referencing the 2015 mSpy data should not pay ransom demands because payment does not stop further extortion.

Stalkerware platforms collect customer identity, billing records, target-device identifiers, monitoring settings, and exfiltrated device activity tied to covert phone surveillance.

The 2015 mSpy breach was the first of three documented mSpy security incidents, followed by additional breaches in 2018 and 2024. mSpy initially denied the 2015 breach when contacted by reporters, with a customer service representative claiming that an attack was 'not actually possible' because of the company's security measures and suggesting that the report was a competitor smear campaign. Brian Krebs of KrebsOnSecurity verified the breach by independently contacting affected mSpy customers whose data appeared in the leaked dataset and confirming the legitimacy of the data with them directly. mSpy subsequently quietly remediated the incident without public acknowledgment of the breach. The 2018 and 2024 breaches indicate that mSpy's underlying security posture remained inadequate over the subsequent decade.