Data breach exposes millions of mSpy spyware customers TechCrunch
pFeatured ArticleppCommentppA data breach at the phone surveillance operation mSpy has exposed millions of its customers who bought access to the phone spyware app over the past decade as well as the Ukrainian company behind itppUnknown attackers stole millions of customer support tickets including personal information emails to support and attachments including personal documents from mSpy in May 2024 While hacks of spyware purveyors are becoming increasingly common they remain notable because of the highly sensitive personal information often included in the data in this case about the customers who use the serviceppThe hack encompassed customer service records dating back to 2014 which were stolen from the spyware makers Zendeskpowered customer support systemppmSpy is a phone surveillance app that promotes itself as a way to track children or monitor employees Like most spyware it is also widely used to monitor people without their consent These kinds of apps are also known as stalkerware because people in romantic relationships often use them to surveil their partner without consent or permission ppThe mSpy app allows whoever planted the spyware typically someone who previously had physical access to a victims phone to remotely view the phones contents in realtimeppAs is common with phone spyware mSpys customer records include emails from people seeking help to surreptitiously track the phones of their partners relatives or children according to TechCrunchs review of the data which we independently obtained Some of those emails and messages include requests for customer support from several seniorranking US military personnel a serving US federal appeals court judge a US government departments watchdog and an Arkansas county sheriffs office seeking a free license to trial the app ppEven after amassing several million customer service tickets the leaked Zendesk data is thought to represent only the portion of mSpys overall customer base who reached out for customer support The number of mSpy customers is likely to be far higherppYet more than a month after the breach mSpys owners a Ukrainebased company called Brainstack have not acknowledged or publicly disclosed the breach ppTroy Hunt who runs data breach notification site Have I Been Pwned obtained a copy of the full leaked dataset adding about 24 million unique email addresses of mSpy customers to his sites catalog of past data breaches ppHunt told TechCrunch that he contacted several Have I Been Pwned subscribers with information from the breached data who confirmed to him that the leaked data was accurateppmSpy is the latest phone spyware operation in recent months to have been hacked according to a recently compiled list by TechCrunch The breach at mSpy shows once again that spyware makers cannot be trusted to keep their data secure either that of their customers or their victims ppTechCrunch analyzed the leaked dataset more than 100 gigabytes of Zendesk records which contained millions of individual customer service tickets and their corresponding email addresses as well as the contents of those emailsppSome of the email addresses belong to unwitting victims who were targeted by an mSpy customer The data also shows that some journalists contacted the company for comment following the companys last known breach in 2018 And on several occasions US law enforcement agents filed or sought to file subpoenas and legal demands with mSpy In one case following a brief email exchange an mSpy representative provided the billing and address information about an mSpy customer an alleged criminal suspect in a kidnapping and homicide case to an FBI agentppEach ticket in the dataset contained an array of information about the people contacting mSpy In many cases the data also included their approximate location based on the IP address of the senders deviceppTechCrunch analyzed where mSpys contacting customers were located by extracting all of the location coordinates from the dataset and plotting the data in an offline mapping tool The results show that mSpys customers are located all over the world with large clusters across Europe India Japan South America the United Kingdom and the United StatesppBuying spyware is not itself illegal but selling or using spyware for snooping on someone without their consent is unlawful US prosecutors have charged spyware makers in the past and federal authorities and state watchdogs have banned spyware companies from the surveillance industry citing the cybersecurity and privacy risks that the spyware creates Customers who plant spyware can also face prosecution for violating wiretapping lawsppThe emails in the leaked Zendesk data show that mSpy and its operators are acutely aware of what customers use the spyware for including monitoring of phones without the persons knowledge Some of the requests cite customers asking how to remove mSpy from their partners phone after their spouse found out The dataset also raises questions about the use of mSpy by US government officials and agencies police departments and the judiciary as it is unclear if any use of the spyware followed a legal processppAccording to the data one of the email addresses pertains to Kevin Newsom a serving appellate judge for the US Court of Appeals for the Eleventh Circuit across Alabama Georgia and Florida who used his official government email to request a refund from mSpyppKate Adams the director of workplace relations for the US Court of Appeals for the Eleventh Circuit told TechCrunch Judge Newsoms use was entirely in his personal capacity to address a family matter Adams declined to answer specific questions about the judges use of mSpy or whether the subject of Newsoms surveillance consentedppThe dataset also shows interest from US authorities and law enforcement An email from a staffer at the Office of the Inspector General for the Social Security Administration a watchdog tasked with oversight of the federal agency asked an mSpy representative if the watchdog could utilize mSpy with some of our criminal investigations without specifying how ppWhen reached by TechCrunch a spokesperson for the Social Security Administrations inspector general did not comment on why the staffer inquired about mSpy on behalf of the agencyppThe Arkansas County sheriffs department sought free trials of mSpy ostensibly for providing demos of the software to neighborhood parents That sergeant did not respond to TechCrunchs question about whether they were authorized to contact mSpyppThis is the third known mSpy data breach since the company began in around 2010 mSpy is one of the longestrunning phone spyware operations which is in part how it accumulated so many customersppDespite its size and reach mSpys operators have remained hidden from public view and have largely evaded scrutiny until now Its not uncommon for spyware makers to conceal the realworld identities of their employees to shield the company from legal and reputational risks associated with running a global phone surveillance operation which is illegal in many countriesppBut the data breach of mSpys Zendesk data exposed its parent company as a Ukrainian tech company called BrainstackppBrainstacks website does not mention mSpy Much like its public open job postings Brainstack only refers to its work on an unspecified parental control app But the internal Zendesk data dump shows Brainstack is extensively and intimately involved in mSpys operationsppIn the leaked Zendesk data TechCrunch found records containing information about dozens of employees with Brainstack email addresses Many of these employees were involved with mSpy customer support such as responding to customer questions and requests for refundsppThe leaked Zendesk data contains the real names and in some cases the phone numbers of Brainstack employees as well as the false names that they used when responding to mSpy customer tickets to hide their own identitiesppWhen contacted by TechCrunch two Brainstack employees confirmed their names as they were found in the leaked records but declined to discuss their work with BrainstackppBrainstack chief executive Volodymyr Sitnikov and senior executive Kateryna Yurchuk did not respond to multiple emails requesting comment prior to publication Instead a Brainstack representative who did not provide their name did not dispute our reporting but declined to provide answers to a list of questions for the companys executivesppIts not clear how mSpys Zendesk instance was compromised or by whom The breach was first disclosed by Switzerlandbased hacker maia arson crimew and the data was subsequently made available to DDoSecrets a nonprofit transparency collective that indexes leaked datasets in the public interest ppWhen reached for comment Zendesk spokesperson Courtney Blake told TechCrunch At this time we have no evidence that Zendesk has experienced a compromise of its platform but would not say if mSpys use of Zendesk for supporting its spyware operations violated its terms of serviceppWe are committed to upholding our User Content and Conduct Policy and investigate allegations of violations appropriately and in accordance with our established procedures the spokesperson saidppIf you or someone you know needs help the National Domestic Violence Hotline 18007997233 provides 247 free confidential support to victims of domestic abuse and violence If you are in an emergency situation call 911 The Coalition Against Stalkerware has resources if you think your phone has been compromised by spywareppEvery weekday and Sunday you can get the best of TechCrunchs coverageppStartups are the core of TechCrunch so get our best coverage delivered weeklyppThe latest Fintech news and analysis delivered every TuesdayppTechCrunch Mobility is your destination for transportation news and insightppBy submitting your email you agree to our Terms and Privacy Notice
ppOpera is releasing its redesigned Opera One browser on iOS as a stable release after testing it in the beta phase for weeks The new browser has a bottom placed ppIn Puerto Rico tax breaks enacted in 2012 aimed to juice the economy by encouraging mainland US citizens to do business and live on the island where they could apply ppElon Musk and Donald Trumps joint X Spaces event appears to have crashed Monday afternoon The conversation between the owner of X and the former President was scheduled for 5 ppAntler the Singapore VC that focuses on earlystage investments just closed its second Southeast Asia fund Its raised 72 million to double down on startups in Singapore Indonesia Vietnam and ppIt racked up around 18000 users made 8000 matches and gathered a lot of insights on the current dating scene ppFram2 would launch into a polar orbit from Florida in late 2024 after which it will stay up at 425450 kilometers of altitude for three to five days ppA class action lawsuit filed by artists who allege that Stability Runway and DeviantArt illegally trained their AIs on copyrighted works can move forward but only in part the presiding ppTally a nineyearold fintech that helped consumers manage and pay off their credit card debt has shut down according to the company In a LinkedIn post that was shared earlier ppDawn Aerospace MkII is essentially an aircraft with the performance of a rocket not a rocket with wings ppThe US Securities and Exchange Commission SEC is suing a crypto startup NovaTech for allegedly fraudulently raising more than 650 million from over 200000 investors many in the HaitianAmerican community ppThe FBIs takedown of the RadarDispossessor ransomware and extortion gang is a rare win in the fight against ransomware ppFeatured ArticleppSome of the largest most damaging breaches of 2024 already account for over a billion stolen records Plus some special shoutouts ppIn the last 12 months Balderton has announced 12 new investments ppTikTok looks to be taking on popular messaging services like Metas WhatsApp and Apples Messages as the company announced on Monday that its adding group chats to its platform You ppTheres a fascinating look by John Herrman over at NYMag today at one of the big proposed uses of AI summarizing content We all need things summarized right Everybodys too ppWaymo plans to start testing its fully autonomous vehicles with no human safety driver on freeways in the San Francisco Bay Area this week Its employees will be the first ppAnduril and Palantir delivered the first Tactical Intelligence Targeting Access Node TITAN the first major milestone in its 178 million contract ppGoogle Pixel 8 devices made in India start rolling off the production lines just ahead of the Pixel 9 launch ppApple has threatened to remove creator platform Patreon from the App Store if creators use unsupported thirdparty billing options or disable transactions on iOS instead of using Apples own inapp ppElevate your brands presence at TechCrunch Disrupt 2024 in San Francisco by hosting a custom Side Event during Disrupt Week taking place October 26 through November 1 Engage facetoface with ppMeta and Universal Music Group UMG announced on Monday the expansion of their multiyear music licensing agreement which enables users to share songs from UMGs music library across Metas platforms ppWeRide a Chinese autonomous vehicle company is officially gearing up for a US public debut over a year after China started easing its effective ban of foreign IPOs The company is ppWhen users click on an event on Polymarket they will now see a summary of news related to the event based on search results from Perplexity ppThe UK antitrust regulator has confirmed that its carrying out an earlystage inquiry into Synopsys plans to buy Ansys The Competition and Markets Authority CMA has opened an invitation to ppHere is a look back at the top security research from the annual hacker conferences Black Hat and Def Con 2024 ppCrossborder payments for businesses in emerging markets remain significantly untapped despite small to large businesses using banks and legacy fintechs to transact trillions of dollars in transaction volume annually A ppBT the UKs former incumbent telecoms carrier is picking up a major new investor today as telecoms companies look for stronger footing in the rapidly shifting technology and communications market ppX the social media platform owned by Elon Musk has been targeted with a series of privacy complaints after it helped itself to the data of users in the European ppKazam an Indian EV charging solution provider has raised 8 million to expand its footprint in the country and enter Southeast Asian markets ppAutonomy founder Scott Painter is spinning out a new company called Autonomy Data Services or ADS he tells TechCrunch in an exclusive interview ppPowered by WordPress VIPp
ppOpera is releasing its redesigned Opera One browser on iOS as a stable release after testing it in the beta phase for weeks The new browser has a bottom placed ppIn Puerto Rico tax breaks enacted in 2012 aimed to juice the economy by encouraging mainland US citizens to do business and live on the island where they could apply ppElon Musk and Donald Trumps joint X Spaces event appears to have crashed Monday afternoon The conversation between the owner of X and the former President was scheduled for 5 ppAntler the Singapore VC that focuses on earlystage investments just closed its second Southeast Asia fund Its raised 72 million to double down on startups in Singapore Indonesia Vietnam and ppIt racked up around 18000 users made 8000 matches and gathered a lot of insights on the current dating scene ppFram2 would launch into a polar orbit from Florida in late 2024 after which it will stay up at 425450 kilometers of altitude for three to five days ppA class action lawsuit filed by artists who allege that Stability Runway and DeviantArt illegally trained their AIs on copyrighted works can move forward but only in part the presiding ppTally a nineyearold fintech that helped consumers manage and pay off their credit card debt has shut down according to the company In a LinkedIn post that was shared earlier ppDawn Aerospace MkII is essentially an aircraft with the performance of a rocket not a rocket with wings ppThe US Securities and Exchange Commission SEC is suing a crypto startup NovaTech for allegedly fraudulently raising more than 650 million from over 200000 investors many in the HaitianAmerican community ppThe FBIs takedown of the RadarDispossessor ransomware and extortion gang is a rare win in the fight against ransomware ppFeatured ArticleppSome of the largest most damaging breaches of 2024 already account for over a billion stolen records Plus some special shoutouts ppIn the last 12 months Balderton has announced 12 new investments ppTikTok looks to be taking on popular messaging services like Metas WhatsApp and Apples Messages as the company announced on Monday that its adding group chats to its platform You ppTheres a fascinating look by John Herrman over at NYMag today at one of the big proposed uses of AI summarizing content We all need things summarized right Everybodys too ppWaymo plans to start testing its fully autonomous vehicles with no human safety driver on freeways in the San Francisco Bay Area this week Its employees will be the first ppAnduril and Palantir delivered the first Tactical Intelligence Targeting Access Node TITAN the first major milestone in its 178 million contract ppGoogle Pixel 8 devices made in India start rolling off the production lines just ahead of the Pixel 9 launch ppApple has threatened to remove creator platform Patreon from the App Store if creators use unsupported thirdparty billing options or disable transactions on iOS instead of using Apples own inapp ppElevate your brands presence at TechCrunch Disrupt 2024 in San Francisco by hosting a custom Side Event during Disrupt Week taking place October 26 through November 1 Engage facetoface with ppMeta and Universal Music Group UMG announced on Monday the expansion of their multiyear music licensing agreement which enables users to share songs from UMGs music library across Metas platforms ppWeRide a Chinese autonomous vehicle company is officially gearing up for a US public debut over a year after China started easing its effective ban of foreign IPOs The company is ppWhen users click on an event on Polymarket they will now see a summary of news related to the event based on search results from Perplexity ppThe UK antitrust regulator has confirmed that its carrying out an earlystage inquiry into Synopsys plans to buy Ansys The Competition and Markets Authority CMA has opened an invitation to ppHere is a look back at the top security research from the annual hacker conferences Black Hat and Def Con 2024 ppCrossborder payments for businesses in emerging markets remain significantly untapped despite small to large businesses using banks and legacy fintechs to transact trillions of dollars in transaction volume annually A ppBT the UKs former incumbent telecoms carrier is picking up a major new investor today as telecoms companies look for stronger footing in the rapidly shifting technology and communications market ppX the social media platform owned by Elon Musk has been targeted with a series of privacy complaints after it helped itself to the data of users in the European ppKazam an Indian EV charging solution provider has raised 8 million to expand its footprint in the country and enter Southeast Asian markets ppAutonomy founder Scott Painter is spinning out a new company called Autonomy Data Services or ADS he tells TechCrunch in an exclusive interview ppPowered by WordPress VIPp
