In a major breach of data privacy and security, a popular phone tracking app called LetMeSpy has been hacked. According to the company that developed the spyware, the hacker has stolen the call logs, messages, and location data intercepted by the app.
Built by a Polish developer, the popular spyware was used to spy on thousands of people using Android devices. On the 21st of June, a notice on the app’s login page informed that “A security incident occurred involving obtaining unauthorized access to the data of website users”.
Background on The Incident?
The data breach was first reported in Niebezpiecznik, a Polish security research blog. Following the detection of the breach, Niebezpiecznik reached out to the spyware developer for their comment on the matter. Instead, it was the hacker who responded to them, claiming that they had seized wide access to LetMeSpy‘s domain.
It is unclear if the spyware’s developer has notified the victims whose devices have been compromised or if it is even capable of doing so.
The hacker claimed to have deleted LetMeSpy’s database from their server. Later that day, a copy of the hacked database was published online. LetMeSpy claimed to have notified the Polish data protection authority UODO and law enforcement of the breach.
The leaked database contained no information that could be used to identify the victims. Furthermore, notifying them could be tricky as it might create a dangerous situation by alerting the person who planted the app on their phones.
Back in January, the spyware’s website said that LetMeSpy had been used to track more than 236,000 devices and collected tens of millions of text messages, call logs, and location data till then. However, following the data breach, the counters on the website began to read as zero. The app, too, appears to have become non-functional.
How Does LetMeSpy Work, and What Kind of Data Was Compromised?
Marketed as an app for parental control and employee monitoring, LetMeSpy is a spyware developed for Android smartphones. However, the app is primarily used by people to track their spouses or domestic partners without their consent or knowledge. Such applications have also led to such spyware being popularly known as spouse-ware or stalker-ware.
The database included more than 13,400 location data points for thousands of victims, most of whom were from the United States, India, and Western Africa.
To track someone, the app must be first planted on their smartphone. The spyware then starts collecting information such as call logs, precise location data, and text messages from the person’s phone. The collected data is secretly uploaded to a remote server, allowing the one who planted the app to monitor the person in real-time without physical access to their device.
Non-profit transparency collective DDoSecrets, which indexes leaked datasets, obtained a copy of the data stolen from LetMeSpy. The database has been found to comprise current records on 13,000 compromised devices, at the very least. Some of the leaked call logs and texts even dated back to 2013.
LetMeSpy isn’t the first spyware or phone-tracking app to be hacked or breached. Several other popular apps, such as TheTruthSpy, Support King, Xnspy, Kidsguard, etc., have also been breached over the years.