Ukrainian Phone Surveillance Company mSpsy Hacked

In yet another massive breach, attackers stole sensitive information of millions of people using the phone monitoring app.

Mobile spyware company mSpy is the latest to make headlines for a breach that impacts millions of people. In May 2024, an attacker stole customer service records dating back to 2014 from the phone surveillance company, TechCrunch reports. The data, including personal information and documents, was stolen from mSpy’s customer support system, operated by Zendesk.  

Zendesk told InformationWeek via email, “Our position remains the same that Zendesk did not experience a compromise of its platform.” 

What are the potential privacy implications of these incidents, and why do we continue to see such massive breaches?  

The Privacy Dynamics 

While any breach of personal information comes with serious privacy concerns, mSpy’s services adds another layer of complexity to the privacy dynamics.  

“MSpy itself and these spyware apps, they’re not inherently illegal on their own. They’re advertised as … a parental control or employee monitoring software,” says Adam Rice, senior security engineer at Huntress, a managed cybersecurity platform. “But we see all the time that people are abusing these for … monitoring their spouses or monitoring people without their consent, which is illegal.” 

The privacy of not only mSpy’s customers but also the people they are monitoring, with consent or without, are at risk in a breach like this.  

The leaked data set of more than 100 gigabytes reveals that mSpy is aware that customers often use its service to monitor people without their consent, according to TechCrunch. 

The fallout of the breach could result in both brand damage – if you are using a service like this you likely don’t want that information leaked – and litigation.  

“I’m anticipating possibly more litigation here because there’s going to be more customers that are going to be likely to call lawyers and figure out what’s going on,” says Geoffrey Lottenberg, partner at Berger Singerman, a Florida business law firm.  

Living in a World of Breaches 

The mSpy breach comes on the heels of the latest massive AT&T breach, which affected nearly all of the telecommunications company’s customers. AT&T learned of the breach in April, but secured delays from the US Department of Justice before making a public disclosure, according to an 8-K filed with the US Securities and Exchange Commission (SEC).  

The Ukrainian parent company, Brainstack, has not publicly acknowledged the breach, according to the TechCrunch report. MSpy did not respond to InformationWeek’s request for comment.  

The telecommunications space is no stranger to larger breaches like this. MSpy has been breached twice before, according to Malwarebytes Labs. The data of 73 million AT&T customers was leaked earlier this year. T-Mobile has suffered several enormous breaches in recent years.  

While there is an ongoing trend in the telecommunications industry, it’s a pattern you can see in many other industries as well: health care, critical infrastructure, retail, to name a few.  

Why do these big breaches keep happening? In many cases, the answer is, frustratingly, a lack of basic cybersecurity hygiene.  

“Time and time again, where we’re looking over these big breaches, it’s always something simple. Like a phishing email or somebody’s account being hijacked,” Rice tells InformationWeek.  

Amassing data has become standard for modern enterprises. “The nature of businesses is such that data will get shared. It will go to different places. What’s important for businesses to keep in mind is as we do that we need to, do it in [an] informed way versus just blindly taking on new services and sending data over,” says Pranava Adduri, cofounder and CEO at data security company Bedrock Security.  

Breaches like the one hitting mSpy are a clear reminder that reaping the value of data comes with management responsibilities. Enterprise leaders need to be able to answer questions like: What data do we have? Where is it being shared? Who has access? Who has access and who doesn’t need it? What data can be deleted?  

Answering those questions is challenging and becomes even more so in the complexity of the supply chain that involves multiple third parties. In the case of the recent mSpy and AT&T breaches, the data was stolen from third party platforms – Zendesk in the case of the mSpy breach and Snowflake in the case of the AT&T breach.  

While some breaches could be avoided, there are determined and sophisticated threat actors out there. Not all breaches can be stopped. Yet, that doesn’t mean enterprises safeguarding data can simply throw in the towel and do nothing.  

“They’re always going to find a way, and that’s where these more advanced companies, like AT&T, who have the ability to do internal threat hunting, should be doing more of that more regularly,” says Rice.  

Data breaches have become so commonplace it seems that consumers have grown numb to them. But Lottenberg argues that something has to change.  

“At some point, I think that the issue is going to be how do they remedy these breaches when they do happen because frankly, offering free credit monitoring for a year, that old … resolution, [and] maybe here’s $5, that’s not really working anymore,” he says.