In a new episode of Spy vs Spy, the mobile monitoring app mSpy has suffered a data breach that exposed information about millions of its customers.

As Malwarebytes Labs has reported before, the types of companies that make mobile applications that enable users to non-consensually spy and monitor on other users are also—unsurprisingly—rather lax when it comes to their own security. This is the third known mSpy data breach since the company began in around 2010.

TechCrunch reports that in May 2024, unknown attackers stole millions of customer support tickets, including personal information, emails to support, and attachments, including personal documents.

The stolen support tickets date back to 2014, so that’s a decade’s worth of support tickets, reportedly millions of individual customer service tickets and their corresponding email addresses, as well as the contents of those emails.

Sold as a parental monitoring tool, mSpy touts itself as:

“a hugely powerful phone monitoring app which can report on almost every area of your kid’s online activities (and one or two of the offline ones, too).”

Parental monitoring apps present their own complications—particularly when they’re used non-consensually against children—as they can give parents a near-omniscient, unfiltered view into their children’s lives, granting them access to text messages, shared photos, web browsing activity, locations visited, and call logs. Without getting consent from a child, these surveillance capabilities represent serious invasions of privacy.

The same is true when these types of apps are used against adults, and while mSpy may advertise itself now as a tool for parental safety, that wasn’t the case when it was founded.

In fact, in the early 2010s, mSpy promoted its monitoring capabilities against adults, including both in an office environment and in romantic relationships. Looking back at a 2014 archive of mSpy’s website, the company claims that, with mSpy, employers can “make sure your employees’ time is not wasted on writing personal emails.” In an earlier archived version of mSpy’s website from 2012, the company touts that its app can help you “discover if your partner is cheating on you.”

At Malwarebytes, we prefer to refer to these types of apps as “stalkerware” and as one of the founding members of the Coalition Against Stalkerware, we advise strongly against using these apps.

The Coalition Against Stalkerware defines stalkerware as tools—software programs, apps and devices—that enable someone to secretly spy on another person’s private life via their mobile device. The abuser can remotely monitor the whole device including web searches, geolocation, text messages, photos, voice calls and much more. Such programs are easy to buy and install. They run hidden in the background, without the affected person knowing or giving their consent. Regardless of stalkerware’s availability, the abuser is accountable for using it as a tool and hence for committing this crime.

TechCrunch analyzed where mSpy’s contacting customers were located by extracting all of the location coordinates from the dataset and plotting the data in an offline mapping tool. The results show that mSpy’s customers are located all over the world, with large clusters across Europe, India, Japan, South America, the United Kingdom, and the US.

If you fear your data may have been exposed in this or any other breaches, Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

If you are looking for a way to remove stalkerware from your device, you have come to the right place. You can keep these and other threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Summer mega sale

Go into your vacation knowing you’re much more secure: This summer you can get a huge 50% off a Malwarebytes Standard subscription or Malwarebytes Identity bundle. Run, don’t walk!