LetMeSpy, a popular phone tracking app used for monitoring Android devices, has been hacked. This has resulted to the theft of intercepted messages, call logs, and locations.
The spyware is developed by a Polish company and is primarily marketed for parental control and employee monitoring purposes.
However, these types of apps, also known as stalkerware or spouseware, are often installed without consent by individuals with physical access to the target’s phone, making detection and removal challenging.
The breach involved unauthorized access to user data, including email addresses, phone numbers, and message content. The hacker responsible for the breach claimed to have gained extensive access to the spyware maker’s domain.
The motive behind the hack and the identity of the hacker remains unclear. While the hacker stated that they deleted LetMeSpy’s databases stored on the server, a copy of the hacked database appeared online later.
DDoSecrets, a nonprofit organization focused on transparency, obtained a copy of the hacked data and shared it with SurgeZirc ZA. Due to the presence of personally identifiable information, DDoSecrets restricted the distribution of the data to journalists and researchers.
However, SurgeZirc ZA analyzed the leaked data, which contained call logs and text messages dating back to 2013 from over 13,000 compromised devices.
Moreover, LetMeSpy’s website previously claimed to track over 236,000 devices and collect extensive call logs, text messages, and location data. However, the website currently appears non-functional, and its counters indicate zero usage.
The leaked data also revealed over 13,400 location data points, with the majority concentrated in the United States, India, and Western Africa.
Additionally, the spyware’s master database contained information about 26,000 customers who used the app for free, as well as the email addresses of paying subscribers.
Spyware makers often conceal the real-world identities of their developers to evade legal consequences associated with facilitating large-scale covert phone surveillance.
LetMeSpy claims to have notified law enforcement and the Polish data protection authority, UODO, about the breach, but neither parties responded to SurgeZirc ZA requests for comment.
It remains uncertain whether LetMeSpy will notify the victims whose phones were compromised, as the leaked data does not contain identifiable information for direct communication.
Notifying victims can be challenging, as it may alert the individuals who planted the spyware, potentially creating unsafe situations.