A data leak from a consumer-grade spyware company exposed the email addresses of its users as well as the call logs and messages of those targeted for surveillance.
The Poland-based business, known as LetMeSpy, admitted in a statement on its website that a “security incident” was found to have taken place on June 21.
“As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers, and the content of messages collected on accounts,” the company wrote.
LetMeSpy allows users to track not only communication data but the GPS location of any Android device that its app has been installed on.
Commonly referred to as “stalkerware,” such apps are regularly advertised as useful tools for parents to monitor their children. Yet spyware is commonly abused by those looking to spy on others without their consent.
The leak was first reported on by the Polish security blog Niebezpiecznika last week and TechCrunch on Tuesday.
The Swiss hacker maia arson crimew similarly noted in an analysis of the data that the leak contained a full phpMyAdmin database, decrypted call and message logs, as well as a list of users’ email addresses and password hashes. After obtaining a copy of the data, the Daily Dot counted more than 26,000 users on that list.
At least three users signed up for LetMeSpy with emails linked to government domains. Two were connected to the government of Malaysia while the third originated from Jordan. Another email was linked to a patrol officer for a police department in Louisiana and even an employee from a competing spyware company. However, crimew notes that none of the aforementioned users appeared to actually use the software after signing up.
The Daily Dot reached out to the police department in question to ask whether it was aware of the officer’s alleged account with LetMeSpy but did not receive a response by press time. It remains unclear if the officer planned to use the app in an official or personal capacity.
Also noted by crimew was the frequent appearance of university email domains on the user list, suggesting that stalkerware is likely prominent among college students in the U.S.
Analysis of some of the over 16,000 text messages captured by LetMeSpy, which date back to the year 2013, show everything from drug deals taking place to a number of spam campaign messages from former President Donald Trump. Some users of the app even appeared to admit to spying after supposedly discovering their partners cheating.
“You cheat,” one such message read. “Your being Tracked.”
Other data, according to crimew, includes “geolocation logs, IP addresses for each log entry, IP addresses for the operators, phone model, android version, and operator payment logs.”
Aside from concerns over the data itself, crimew further stated that the app appeared to have no way to inform either users or targets about the leak.
“LetMeSpy has no way to know who victims are and notify them even if they wanted to and only has info on the operators and those who the victims communicated with,” crimew told the Daily Dot. “This all leaves interesting questions about mandatory breach reporting especially considering this is an EU company subject to the privacy rules outlined in the General Data Protection Regulation (GDPR).”
The Daily Dot reached out to LetMeSpy for comment but did not receive a response.