Polish developer behind the LetMeSpy phone monitoring app used to spy on thousands of people using Android phones has been breached, with the hackers stealing sensitive data collected by the app, including text messages, call logs and locations.
LetMeSpy is a free Android app marketed for parental control or employee monitoring, which can track calls, SMS and GPS locations of the phone it is installed on.
The breach was first reported by the Polish research blog Niebezpiecznik last week. When attempting to contact LetMeSpy, Niebezpiecznik got a reply from the hackers instead, who claimed that they had access to the app’s domain.
According to an alert posted on the spyware maker’s website, the information was stolen in a “security incident” that occurred on June 21, when someone obtained “unauthorized access” to its website's databases.
“As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts. In order to ensure security, all account-related functions of the website were disabled immediately after the incident was discovered,” the alert says.
It appears that the stolen data has been circulating online for at least a few days. A review of the leaked database showed it included years of victims’ call logs and text messages dating back to 2013, according to TechCrunch.
The database contained current records on at least 13,000 compromised devices, although not all of them were sharing data with LetMeSpy, as well as over 13,400 location data points for several thousand victims, with the majority of them located in the US, India and Western Africa.
The data also contained the spyware’s master database, including information about 26,000 customers who used the spyware for free and the email addresses of customers who bought paying subscriptions.
Currently, it’s not clear who is responsible for the hack. According to the intruders’ claim, they have deleted data stored on the LetMySpy servers.