What just happened? Hacks on companies tend to be bad for the public, but this one is especially concerning. A cybercriminal has compromised popular Android phone monitoring app LetMeSpy, stealing victims’ text messages, call logs, and locations, along with the email addresses of users, and leaked it all online.
LetMeSpy’s website advertises the free app as a way for parents to monitor their children’s text messages and call logs, or for employers to ensure employees aren’t using company mobiles for non-work purposes.
There’s a warning on the site about installing the app without a user’s consent being illegal, but these sorts of apps are often called stalkerware or spouseware due to people using them to stalk other people or their partners. LetMeSpy uploads victims’ texts, call logs, and location data to its servers without the targets’ knowledge. The data can then be accessed by customers.
As per TechCrunch, a notice on the LetMeSpy login page posted on June 21 states that “a security incident occurred involving obtaining unauthorized access to the data of website users.”
The hackers gained access to e-mail addresses, telephone numbers, IP addresses, user IDs, payment logs, customer account password hashes, and the content of messages collected on accounts.
The leaked data of victims dates back ten years. It also contained over 13,400 location data points for several thousand victims, most of which are located in the United States, India, and Western Africa.
The app makers said it was tracking more than 236,000 devices earlier this year, though the Reg points out that the app only seems to work on Android versions 4 to 7.
Poland-based LetMeSpy’s master database was also included in the data, exposing the information of 26,000 customers who use the app for free and those who bought paid subscriptions. Some of the users include government workers, US college students, a police officer, and an employee from a competing stalkerware app.
Highlighting the extent of the attack were the researchers that first discovered the breach – Polish security research blog Niebezpiecznik – which reached out to LetMeSpy for comment. Instead of hearing from the company, the response came from the hackers themselves, who had taken over LetMeSpy’s domain.
The unidentified hacker suggested they deleted the company’s database stored on the server before leaking a copy online later that same day. They also appear to have impacted the functionality of the site and the LetMeSpy app itself.
Unsurprisingly, a hack on a company that helps people spy and stalk people is generating plenty of schadenfreude. But the incident shouldn’t come as a shock as these types of apps are notoriously insecure, as illustrated by the number of hacks on other phone monitoring apps in recent years.