LetMeSpy, a Mobile Phone Spyware App, Was Hacked

The research team at Niebezpiecznik (a Polish security blog) uncovered the hack that stole messages, call logs, and locations intercepted by a widely used phone monitoring app.

LetMeSpy published a notice stating that the incident occurred on June 21, and “as a result of the attack, the criminals gained access to email addresses, telephone numbers, and the content of messages collected on accounts."

LetMeSpy is a phone monitoring application marketed for parental control or employee monitoring. It is designed to operate discreetly, remaining hidden on a phone's home screen, making it challenging to detect and uninstall. These types of applications, commonly referred to as stalkerware or spouseware, are typically installed by individuals who have physical access to someone's phone without their consent or awareness.

The DailyDot highlighted the frequent presence of university email domains on the user list, indicating that stalkerware is likely prevalent among college students in the US. Furthermore, the data included government domains, instances of drug trades, and admissions by some users regarding their use of the app for spying on others. An email associated with a police department in Louisiana was also identified within the compromised data.

When Niebezpiecznik reached out to the spyware maker for comment, the hacker allegedly replied instead, asserting their control over the domain of the spyware maker. The identity of the perpetrators behind the LetMeSpy hack and their motivations remain unknown. According to TechCrunch, the threat actor hinted at having erased LetMeSpy's databases stored on the server, and later that day, a copy of the hacked database emerged online.

While LetMeSpy has informed law enforcement and its local data protection authority, UODO, about the incident, it remains uncertain whether the company will extend notifications to individuals whose phones have been compromised.