I doubt there will be many people shedding tears at the news that a stalkerware company has announced it is permanently ceasing operations at the end of this month - after it suffered a devastating data breach.
The Polish developers of LetMeSpy, an Android stalkerware or spouseware app, announced in June that hackers had broken into its infrastructure and stolen its entire user database.
A user database, let us not forget, of people who had chosen to use LetMeSpy to spy on the phones of their partners, children, colleagues, or anyone else they had an unhealthy interest in.
Unfortunately the database did not just contain details of those who had purchased LetMeSpy to stalk others, but also records related to the people who were the victims of the spyware - meaning that any private messages recorded by LetMeSpy, their location, and call logs were also now in the hands of the hackers.
The data haul includes call logs and text messages dating back as far as 2013, impacting thousands of innocent people. Indeed LetMeSpy's website - before it was replaced with sheepish admissions of its data breach and closure - boasted that it was installed on over 230,000 phones and had collected more than 63 million text messages and 39 million call logs.
And although LetMeSpy marketed itself as an app with the "legitimate" purpose of monitoring children or employees with their permission, no-one should be fooled into thinking that it was used primarily with anything other than sinister intentions.
As The Register reports, researcher Maia arson crimew examined the stolen database and noted that LetMeSpy's users included government workers and even workers at a rival stalkerware company.
The analysis, further identified the propensity for many users to be college students, logs that identified drug trades, and even instances of stalkers contacting their victims to accuse them of cheating on other people.
In the latest update on its website, LetMeSpy announced that it will cease operations on August 31, 2023. The site's administrator says that it has not been possible to create new accounts since it suffered its data breach in 2023, and that anyone wanting to access data that it is still stored in their account should contact them via email by the end of September. After that date, LetMeSpy says, all remaining data associated with accounts will be deleted.
Well, seeing as that is data that has been secretly stolen from other people's smartphones, that's data that should never have been collected in the first place.
Through LetMeSpy's own weak cybersecurity, it appears it has already fallen into the laps of hackers. Only time will tell what - if anything - they plan to do with it.
It's not unusual to hear of stalkerware companies being hacked. I certainly am getting a strong impression that the cybersecurity of such firms is not much of a priority. Those considering spying on their spouse (or indeed anyone else) with such technology might be wise to think twice before they entrust them with their personal information.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024