mSpy 2015 Data Breach

mSpy Mobile Stalkerware Platform Breach (2015): 700K User Accounts & Monitored Device Data Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Unknown (failed extortion → Tor public dump; Krebs disclosed)SpywareDevice Usage Data
Moderate SeverityWebsite / service breach

mSpy Mobile Stalkerware Platform Breach (2015): 700K User Accounts & Monitored Device Data Exposed

Commercial stalkerware platform used for monitoring device activity and communications.

Verified by ObscureIQ Intelligence
49/100Breach Risk Index
40Data Value
10Market Recency
3987dSince Breach

Breach Intelligence Summary

Entity: mSpy · Actor: Unknown (failed extortion → Tor public dump; Krebs disclosed) · Sources: 5 references
Attack: Unknown
Profile: Spyware / Stalkerware · Covert device monitoring and surveillance · Stalkerware platform · Global
Timeline: Breach (2015-05-14) · Indexed (May 28, 2015) · Year (2015)
Exposure: 700K records · 1 fields: Device Usage Data
Status: Confirmed

Executive Summary

mSpy, a mobile surveillance and parental-control application operating from 2010 onward, suffered a data breach in May 2015 when unidentified attackers exfiltrated several hundred gigabytes of data from mSpy's systems and posted it to a Tor-based hidden service after mSpy reportedly refused to pay an extortion demand. The breach was first reported by security journalist Brian Krebs (KrebsOnSecurity) on May 14, 2015 after Krebs received an anonymous link pointing to the Tor-hosted data. The breach was indexed by Have I Been Pwned on May 28, 2015. mSpy initially denied the breach but the legitimacy of the leaked data was confirmed by Brian Krebs through direct contact with affected mSpy customers whose information appeared in the dataset. The breach affected approximately 700,000 unique customer records based on records indexed by Have I Been Pwned, with hackers claiming the dataset included data on more than 400,000 users with payment details on approximately 145,000 successful transactions. Compromised data included Apple IDs and passwords, tracking data, payment information, photos, calendar data, corporate email threads, private conversations, and approximately four million logged surveillance events captured by the mSpy software. The dataset also included thousands of customer support request emails from people around the world who paid between approximately $8.33 and $799 for various mSpy subscription tiers. Critically, the leaked data included surveillance content captured from monitored target devices in addition to customer-account data, exposing both populations. For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being monitored), the breach exposed live and historical device data including photos, communications, calendar entries, and personal conversations that may have been collected without their knowledge or consent. Many targets are likely domestic-violence victims and individuals whose partners, family members, or employers installed the software covertly. The U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware provide resources for individuals who suspect they may have been monitored. For customers (the people who purchased mSpy to surveil others), the breach exposed their identification as someone who purchased and used surveillance software, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target. Affected customers who provided Apple ID credentials should immediately change those passwords, enable two-factor authentication on their Apple Account, and review and remove unrecognized devices from their account because the Apple ID exposure may extend beyond mSpy itself. Affected users who receive extortion attempts referencing the 2015 mSpy data should not pay ransom demands because payment does not stop further extortion.

ObscureIQ assessment: Extremely sensitive. Exposure can reveal both the monitored person and the purchaser, enabling stalking, extortion, domestic abuse escalation, and severe privacy harm.

Breach Impact

The institutional impact on mSpy from the 2015 breach has been moderate, with the platform continuing to operate through the present despite a recurring pattern of breaches every several years. The case has been cited in cybersecurity coverage as an early canonical example of stalkerware operator non-disclosure and active denial in the face of confirmed breach evidence, with mSpy's response pattern subsequently becoming representative of the broader stalkerware industry response to security incidents. The 2015 breach was also cited as evidence in subsequent FTC stalkerware enforcement actions including the 2021 SpyFone case, illustrating the systemic pattern of consumer-grade spyware vendors failing to notify affected populations after security incidents.

About mSpy

mSpy is a mobile and computer monitoring application marketed for parental control and employee monitoring across Android, iOS, Windows, and macOS platforms. The application has been operating since approximately 2010 and is widely classified as stalkerware because of its persistent use for non-consensual surveillance of romantic partners, despite its parental-control marketing. At the time of the 2015 breach, mSpy was tied to MTechnology LTD, a now-defunct UK-registered firm whose founding members included self-described programmers Aleksey Fedorchuk (Russia) and Pavel Daletski (UK). The 2024 mSpy breach (a separate incident in this dataset) subsequently revealed that mSpy is currently owned by Brainstack, a Ukraine-based information-technology company. Capabilities include tracking GPS location, viewing web history, accessing photos, videos, emails, SMS, Skype, WhatsApp, and keystrokes. As a stalkerware platform, mSpy maintains both customer accounts and the surveillance content captured from monitored devices.

Why They Hold Your Data

Stalkerware platforms collect customer identity, billing records, target-device identifiers, monitoring settings, and exfiltrated device activity tied to covert phone surveillance.

Recent Developments

The 2015 mSpy breach was the first of three documented mSpy security incidents, followed by additional breaches in 2018 and 2024. mSpy initially denied the 2015 breach when contacted by reporters, with a customer service representative claiming that an attack was 'not actually possible' because of the company's security measures and suggesting that the report was a competitor smear campaign. Brian Krebs of KrebsOnSecurity verified the breach by independently contacting affected mSpy customers whose data appeared in the leaked dataset and confirming the legitimacy of the data with them directly. mSpy subsequently quietly remediated the incident without public acknowledgment of the breach. The 2018 and 2024 breaches indicate that mSpy's underlying security posture remained inadequate over the subsequent decade.

Data Points Exposed

1 verified field types
Device Usage Data

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Moderate
Primary downstream threats:
  • Targeted phishing using exposed personal information
  • Credential reuse attacks across linked accounts
Threat vectors:
  • Behavioural pattern analysis

Threat Actor: Unknown (failed extortion → Tor public dump; Krebs disclosed)

Unknown (failed extortion → Tor public dump; Krebs disclosed)
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the mSpy breach?

mSpy, a mobile surveillance and parental-control application operating from 2010 onward, suffered a data breach in May 2015 when unidentified attackers exfiltrated several hundred gigabytes of data from mSpy's systems and posted it to a Tor-based hidden service after mSpy reportedly refused to pay…

What data was exposed?

Verified fields include Device Usage Data.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation