Data collected by spyware "phone monitoring" app LetMeSpy is stolen, company closes
Take action: The irony is not lost that an application which is for all intentions and purposes a spyware designed to secretly steal call logs, text messages, and location information has fallen to data stealing. The developer has also reported the privacy breach to law enforcement and a data protection authority - which just adds insult to injury on the victims of the spyware.
Learn More
Confidential information collected by the Android stalkerware "phone monitoring" application known as LetMeSpy has been leaked. The leak includes victims' text messages, call logs, and even the email addresses of those were using the software to spy on others.
The stolen data has been circulating online for several days, exposing the majority of LetMeSpy's user base, which reportedly includes government workers and a significant number of college students in the United States.
The Polish developer of the app confirmed that a "security incident" occurred on June 21, resulting in unauthorized access to their website's databases. Details of the attack type are not available.
Update - as of start of August, LetMeSpy has officially ceased its operations after the data breach.
Essentially, LetMeSpy allows individuals to acquire a paid or free version of the application, install it on someone else's Android phone (e.g., a partner, employee, or relative), discreetly hide the app, and subsequently collect copies of stolen messages, logs, and other data via the LetMeSpy website.
This pilfered information, along with the personal details of those who signed up for the software, has been exposed through the LetMeSpy website.
An alert on the LetMeSpy login page confirms that the attackers gained access to email addresses, telephone numbers, and message content associated with user accounts.
According to security researchers the stolen data encompasses:
- call logs,
- messages,
- geolocations,
- IP addresses,
- payment logs,
- user IDs,
- email addresses,
- hashed customer account passwords.
In response, the website temporarily disabled all account-related functions, which will be reinstated once the vulnerability exploited by the attackers is resolved. The developer has also reported the privacy breach to law enforcement and a data protection authority.
Although approximately 10,000 phones were registered for the spyware service, it seems not all of them were subjected to surveillance. The application appears to be compatible only with Android versions 4 to 7.
Update - as of start of August, LetMeSpy has officially ceased its operations after the data breach. The company confirmed its "permanent shutdown" through a notice on its website in both English and Polish, stating that it would no longer be in operation by the end of August. New user sign-ups and logins have been blocked.
Apparently the hacker responsible for the breach not only gained unauthorized access to LetMeSpy's website database but also downloaded and deleted data from the servers. The spyware app is no longer functional, and the website no longer provides the app for download.
LetMeSpy joins a growing list of spyware operations shutting down due to security incidents that exposed victims' data, as well as exposing the identities of the individuals behind these operations. Spytrac, which had over a million user records in its database, was confirmed to be operated by Support King, a tech company that was banned from the surveillance industry by federal regulators in 2021 for failing to secure stolen data from its spyware app, SpyFone.
