Last week, an unknown hacker broke into the servers of US-based stalkerware maker pcTattletale. The hacker then stole and leaked the company’s internal data. They also hacked pcTattletale’s official website with the aim of embarrassing the company.
“This took a total of 15 minutes from reading the techcrunch article,” the hackers wrote in defacement, referring to a recent TechCrunch article where we reported that pcTattletale was used to monitor several check-in computers at the front desk at Wyndham hotels in the United States. States.
As a result of this hack, leak and shame operation, pcTattletale founder Bryan Fleming said he was shutting down his company.
Consumer spyware applications such as pcTattletale are commonly referred to as stalkerware because jealous husbands and partners use them to secretly monitor and surveil their loved ones. These companies often explicitly market their products as solutions to catch cheating partners, encouraging illegal and unethical behavior. And there have been many court casesjournalistic investigations, and investigations into domestic abuse shelters which show that online stalking and tracking can lead to real-world instances of harm and violence.
And that’s why hackers have repeatedly targeted some of these companies.
According to TechCrunch’s tally, with this latest hack, pcTattletale became the 20th stalkerware company since 2017 known to have hacked or leaked customer and victim data online. This is not a typo: Twenty stalkerware companies have either been breached or had significant data exposure in recent years. And three stalkerware companies were hacked multiple times.
Eva Galerpin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has researched and fought stalkerware for years, said the stalkerware industry is a “soft target.” “The people running these companies are maybe not the most meticulous or really concerned about the quality of their product,” Galperin told TechCrunch.
Given the history of stalkerware compromises, that may be an understatement. And because of their lack of care to protect their own customers—and consequently the personal data of tens of thousands of wrongdoing victims—using these apps is doubly irresponsible. Stalkerware clients may be breaking the law, abusing their partners by illegally spying on them, and on top of that, putting everyone’s data at risk.
History of stalkerware hacks
The flurry of stalkerware breaches began in 2017 when a group of hackers hacked US-based Retina-X and FlexiSpy based in Thailand back to back. These two hacks revealed that the companies had a total of 130,000 customers worldwide.
At the time, the hackers who – proudly – claimed responsibility for the compromises said explicitly that their motivation was to expose and hope to help destroy an industry they see as toxic and unethical.
“I’m going to burn them to the ground and leave nowhere for any of them to hide,” one of the hackers involved told Motherboard at the time.
Referring to FlexiSpy, the hacker added: “I hope they go under and fail as a company and have some time to think about what they’ve done. However, I fear they may try to rebirth themselves in a new form. But if they do, I’ll be there.”
Despite the hack and years of negative public attention, FlexiSpy is still active today. The same cannot be said for Retina-X.
The hacker who broke into Retina-X wiped its servers with the aim of stopping it from working. The company came back – and then hacked again a year later. A few weeks after the second breach, Retina-X has announced that it is shutting down.
A few days after the second Retina-X breach, hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, as well as intercepted victims’ messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman;it suffered the same fate a few months later, with hackers stealing text messages and call metadata, which contained logs of who called whom and when.
Weeks later, there was the first case of accidental data exposure, rather than hacking. SpyFone left an Amazon-hosted S3 storage bucket unprotected online, which meant that anyone could view and download text messages, photos, recordings, contacts, location, passwords and login information, Facebook messages and more. All of this data was stolen from victims, most of whom were unaware that they were being spied on, let alone aware that their most sensitive personal data was also on the Internet for all to see.
Other stalkerware companies that have irresponsibly left customer and victim data online over the years include FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easy-to-find password; mSpy, which leaked over 2 million customer records. Xnore, which allows any of its customers to view the personal data of other customers’ targets, which included chat messages, GPS coordinates, emails, photos and more. Mobiispy, which left 25,000 recordings and 95,000 images on a server accessible to anyone; KidsGuard, which had a faulty server that leaked victims’ content. pcTattletale, which before its hack as well exposed screenshots of victims’ devices uploaded in real time on a website that anyone could access; and Xnspy, whose developers left credentials and private keys in the apps’ code, allowing anyone to access victims’ data.
As for other stalkerware companies that were actually hacked, there was Copy9, which saw a hacker steals the data of all his tracking targets, including text and WhatsApp messages, call recordings, photos, contacts and eyebrow history. LetMeSpy, which was shut down after its servers were breached by hackers. Brazil-based WebDetetive, which also had its servers wiped, and then he hacked again; OwnSpy, which provides much of the support software for WebDetetive, was also hacked. Spyhide, which had a vulnerability in its code that allowed a hacker to access its back-end databases and years of stolen data from around 60,000 victims. and Oospy, which was a rebrand of Spyhide, was shut down for a second time.
Finally, there is TheTruthSpy, a network of stalkerware applications, which holds the dubious record of having been hacked or leaked data on at least three separate occasions.
Hacked, but unrepentant
Of those 20 stalkerware companies, eight have been shut down, according to TechCrunch’s tally.
In a first and so far unique case, the Federal Trade Commission banned SpyFone and its CEO, Scott Zuckerman, from operating in the surveillance industry after an earlier security breach exposed victims’ data. Another stalkerware business linked to Zuckerman, called SpyTrac, was subsequently shut down after a TechCrunch investigation.
PhoneSpector and Highster, two other companies not known to have been hacked, were also shut down after New York’s attorney general accused the companies of explicitly encouraging customers to use their software for illegal surveillance.
But a company closing doesn’t mean it’s gone forever. As with Spyhide and SpyFone, some of the same owners and developers behind a shutterbug stalkerware maker simply renamed themselves.
“I think these hacks do things. They really get things done, put a dent in it,” Galperin said. “But if you think that if you hack a stalkerware company, that they’re just going to shake their fists, curse your name, disappear in a puff of blue smoke and never be seen again, it sure hasn’t happened.”
“What happens most often, when you manage to kill a stalkerware company, is that the stalkerware company pops up like mushrooms after the rain,” Galperin added.
There is some good news. In a report last year, security firm Malwarebytes said that stalkerware use is declining, according to its own customer data infected with this type of software. Also, Galperin reports seeing an increase in negative reviews of these apps, with customers or prospects complaining that they don’t work as intended.
But Galperin said it’s possible that security companies aren’t as good at detecting stalkerware as they used to be, or that stalkers have moved from software-based tracking to physical surveillance enabled by AirTags and other Bluetooth-enabled trackers.
“Stalkerware does not exist in a vacuum. Stalkerware is part of a whole world of technology-enabled abuse,” Galperin said.
Say no to stalkerware
Using spyware to track your loved ones is not only unethical, it is also illegal in most jurisdictions as it is considered illegal surveillance.
This is already a major reason not to use stalkerware. Then there’s the issue that stalkerware makers have proven time and time again that they can’t keep data safe — neither data belonging to customers nor to their victims or targets.
In addition to spying on romantic partners and spouses, some people use stalkerware apps to monitor their children. While this type of use, at least in the United States, is legal, it doesn’t mean that using stalkerware to spy on your kids’ phone isn’t creepy and unethical.
Even if it’s legal, Galperin believes parents shouldn’t be spying on their kids without telling them and without their consent.
If parents inform their children and get the green light, parents should stay away from unsafe and untrustworthy stalkerware apps and use built-in parental monitoring tools Apple phones and tablets and Android devices which are safer and operate undetected.
If you or someone you know needs help, the National Family Violence Hotline (1-800-799-7233) provides free, confidential 24/7 support to victims of domestic abuse and violence. If you are in an emergency, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
