Researchers have revealed that another spyware company has been hacked, leaking sensitive customer data online.
This time it is Ukrainian company Brainstack, which builds and maintains mSpy. mSpy currently has about 1.5 million users.
The breach occurred after unknown threat actors reportedly compromised the company’s Zendesk platform, which was used to manage customer service. From there, they stole over 100 gigabytes of data, including customer service tickets and attachments. These attachments often included personal documents. Location data, based on people’s IP addresses, was also found.
Identity data and personal documents
Journalists from TechCrunch searched the database and found several high-ranking U.S. military officials, a serving U.S. federal appeals court judge, and a watchdog for a U.S. government department, all of whom had used the app at some point. The list also includes an Arkansas County sheriff’s office, which requested a free trial.
While 100 gigabytes may seem like a lot, the publication says the data only pertains to people who contacted customer service and that mSpy’s user base is likely much larger.
HaveIBeenPwned?, an online service where people can check if their email address has been leaked in a breach, has added 2.4 million unique email addresses to its database. This doesn’t necessarily mean that 2.4 million people were affected, as many were able to use new, “burner” email addresses just for mSpy.
Brainstack is currently keeping quiet.
Spyware, as the name suggests, is used for spying. It is also called stalkerware or spouseware, both self-explanatory names. Users who purchase the license install the app on the mobile phones of their spouses, partners, children or employees, without their knowledge or consent. The app can monitor the activity on the device in real time, giving the owner of the license access to call logs, messages, location data, files on the device and more.