mSpy, a company that provides parents with tools for monitoring computers and mobile devices, has admitted to a data breach but has claimed that no personal information was exposed.
The company denied the breach when first approached by security expert Brian Krebs, saying that reports of the incident were wrong.
mSpy changed its tune later, however, telling the BBC that something had occurred. The BBC has also discovered that UK data watchdog the Information Commissioner's Office is now involved. mSpy did not comment on this.
The firm provides a service aimed at concerned parents but which can be put to use by anyone who wants to keep a digital ear and eye on the communications of an associate or spouse, for example.
This official oversight is fine, but a data breach complicates matters. mSpy told the BBC that, although a hack has taken place, its customers' details were not compromised.
"There is no data on 400,000 of our customers on the web," said a spokesperson. "We believe we have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements."
Krebs said in a blog post that the plundered documents and data are on the so-called dark web, and he claims to have downloaded and assessed the information.
Mobile spyware maker mSpy continues to deny breach, even as customers confirm it http://t.co/liQVhkvD3I— briankrebs (@briankrebs) May 21, 2015
"No, the stolen records aren't on the web; rather, they've been posted to various sites on the Deep Web, which is only accessible using Tor," he wrote.
"Also, I don't doubt that mSpy was the target of extortion attempts; the fact that the company did not pay the extortionist is likely what resulted in its customers' data being posted online.
"I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy.
"I spoke with multiple customers whose payment and personal data - and that of their kids, employees and significant others - were included in the huge cache. All confirmed they are or were recently paying customers of mSpy."
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers