Mobile surveillance software firm mSpy has suffered a breach that exposed sensitive information from millions of users. Customer support tickets dating back around 10 years were hacked and leaked by as yet unidentified attackers. The leaked dataset from mSpy’s Zendesk-powered customer support system was made available to DDoSecrets, a nonprofit transparency collective, and subsequently verified as genuine by TechCrunch and independent security experts.
According to breach notification service Have I Been Pwned (HIBP), the leak includes 318GB of data related to records covering 2.4 million unique email addresses. Data exposed as a result of the leak includes the names and IP addresses in user records and support tickets.
Other information includes photos of credit cards and, more surprisingly, nude selfies (almost all of women).
The credit card images appear to be related to refund requests, while the nude images are more difficult to explain.
“There are ‘loads’ of images that are photos of credit cards, with most (but not all) then partially obfuscated,” Troy Hunt, the founder of HIBP said on Twitter/X. “Are people submitting evidence of the payment method they used? Perhaps.”
He went on to speculate about the origin of the nude pictures: “Were they obtained from compromised devices without the knowledge or consent of the owner? They certainly don’t look like anything that would be loaded into a ticketing system.”
According to a Zendesk spokesperson, the company wasn’t compromised and any breach of mSpy has nothing to do with Zendesk. “We are committed to upholding our User Content and Conduct Policy and investigate allegations of violations appropriately and in accordance with our established procedures. Additionally, we have no evidence that Zendesk experienced a compromise of its platform,” a Zendesk spokesperson said.
mSpy – which the leaks reveal is owned by Brainstack, a Ukrainian IT company – is mobile and computer monitoring software designed for parental control and employee monitoring. The technology, first released in 2010, is available on iOS, Android, Windows, and macOS