mSpy 2024 Data Breach

mSpy Mobile Stalkerware Platform Breach (2024): 2.4 Million Operator Accounts & Support Tickets Exposed :: Targets' Data Also Accessible | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Unknown (DDoSecrets release via Maia Arson Crimew)SpywareEmail AddressFull NameIP AddressProfile Photo
High SeverityWebsite / service breach

mSpy Mobile Stalkerware Platform Breach (2024): 2.4 Million Operator Accounts & Support Tickets Exposed :: Targets' Data Also Accessible

Mobile device monitoring and parental control application.

Verified by ObscureIQ Intelligence
72/100Breach Risk Index
40Data Value
25Market Recency
655dSince Breach

Breach Intelligence Summary

Entity: mSpy · Actor: Unknown (DDoSecrets release via Maia Arson Crimew) · Sources: 5 references
Attack: Unknown
Profile: Spyware / Stalkerware · Covert device monitoring and surveillance · Mobile spyware platform · Global
Timeline: Breach (2015-05-14) · Indexed (Jul 11, 2024) · Year (2024)
Exposure: 2.4M records · 4 fields: Email Address, Full Name, IP Address, Profile Photo
Status: Confirmed

Executive Summary

mSpy, a mobile surveillance and parental-control application owned by Ukraine-based Brainstack, suffered a data breach in May 2024 when unidentified attackers exfiltrated approximately 318 gigabytes of data from mSpy's Zendesk-powered customer support system, including customer support tickets dating back to 2014. The leaked dataset was made publicly available in June 2024 by hacker Maia Arson Crimew through the nonprofit transparency collective DDoSecrets, and was independently verified by TechCrunch and other security researchers. The breach was indexed by Have I Been Pwned on July 11, 2024. Despite extensive public reporting, mSpy and parent company Brainstack did not publicly acknowledge the breach. The breach affected approximately 2,394,179 unique customer email addresses based on records indexed by Have I Been Pwned. Compromised data included email addresses, IP addresses, names, customer support ticket conversations, photographs, and more than 500,000 attachments totaling 176 gigabytes. The attachments included screenshots of financial transactions, photographs of credit cards (some partially obfuscated), and nude selfies (predominantly of women), apparently included in customer support requests for various reasons. The customer support tickets themselves contained extensive disclosures about the customers' surveillance activities, including requests for help installing mSpy on partners', children's, and employees' devices and instructions on how to remove mSpy from a partner's phone after the spouse discovered the surveillance. The dataset also exposed information about Brainstack employees, including real names and false names used when responding to customer tickets, providing significant insight into the operational structure of the company. For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being monitored), inclusion in the dataset confirms a surveillance relationship that was likely established without consent, with the U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware providing resources for affected individuals. For customers, inclusion in the dataset confirms participation in a stalkerware operation, with potential employment, relationship, and legal consequences that vary by jurisdiction; customers in U.S. military, judicial, government, or law enforcement roles whose participation has been documented may face additional security clearance and professional consequences. Some affected emails belong to journalists who contacted mSpy and to U.S. law enforcement filing legal demands rather than to customers. The exposure of nude selfies and credit card photographs creates additional payment-fraud and intimate-image-extortion risk. Affected customers who provided credit card information to mSpy should monitor card statements and consider replacement cards. Affected users who receive extortion attempts should not pay ransom demands because payment does not stop further extortion.

ObscureIQ assessment: Extremely sensitive. Exposure can reveal both the monitored person and the purchaser, enabling stalking, extortion, domestic abuse escalation, and severe privacy harm.

Breach Impact

The institutional impact on mSpy and parent company Brainstack has been significant. The breach publicly identified Brainstack as mSpy's parent company for the first time, creating reputational and potential regulatory exposure that the company had previously avoided through corporate-structure obscurity. The case has been formally cited as illustrating the persistent and recurring failure of consumer-grade spyware vendors to secure customer and victim data, alongside earlier mSpy breaches in 2015 and 2018. The exposure of senior U.S. government and military personnel as customers raises distinct national security concerns because mSpy installations on devices belonging to spouses or family members of cleared personnel may have themselves created surveillance entry points exploitable by foreign intelligence services. Civil litigation and regulatory action have been limited despite the third recurring breach. The reputational impact has concentrated within the broader stalkerware industry and across Brainstack's other product lines.

About mSpy

mSpy is a mobile and computer monitoring application marketed for parental control and employee monitoring across Android, iOS, Windows, and macOS platforms. The application has been operating since approximately 2010 and is widely classified as stalkerware because of its persistent use for non-consensual surveillance of romantic partners, despite its parental-control marketing. mSpy's owner was publicly revealed through this 2024 breach to be Brainstack, a Ukraine-based information-technology company whose public website does not mention mSpy and whose job postings refer only to an unspecified 'parental control app.' Capabilities include tracking GPS location, viewing web history, accessing photos, videos, emails, SMS, Skype, WhatsApp, and keystrokes. As a stalkerware platform, mSpy maintains two distinct populations of data: customer accounts and the surveillance content captured from monitored devices.

Why They Hold Your Data

Stalkerware platforms collect customer identity, billing records, target-device identifiers, monitoring settings, and exfiltrated device activity tied to covert phone surveillance.

Recent Developments

The 2024 mSpy breach was the third documented mSpy security incident, following earlier breaches in 2015 and 2018. mSpy and parent company Brainstack did not publicly acknowledge or disclose the 2024 breach, even after more than a month had passed and the dataset had been verified by TechCrunch and other independent security researchers. The leaked dataset was disclosed by hacker Maia Arson Crimew (the same researcher who documented the pcTattletale breach) and made available to the nonprofit transparency collective DDoSecrets. Have I Been Pwned indexed the breach on July 11, 2024 with 2,394,179 unique email addresses. The breach is particularly notable for revealing the involvement of senior U.S. government and law enforcement personnel as mSpy customers, including senior-ranking U.S. military personnel, a serving U.S. federal appeals court judge, a U.S. government department's watchdog, and an Arkansas county sheriff's office.

Data Points Exposed

4 verified field types
Email Address
Full Name High
IP Address
Profile Photo

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Geolocation & account flagging
  • Deepfake & identity document fraud
  • Facial recognition & physical identification

Threat Actor: Unknown (DDoSecrets release via Maia Arson Crimew)

Unknown (DDoSecrets release via Maia Arson Crimew)
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the mSpy breach?

mSpy, a mobile surveillance and parental-control application owned by Ukraine-based Brainstack, suffered a data breach in May 2024 when unidentified attackers exfiltrated approximately 318 gigabytes of data from mSpy's Zendesk-powered customer support system, including customer support tickets…

What data was exposed?

Verified fields include Email Address, Full Name, IP Address, Profile Photo.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation