US consumer spyware app pcTattletale has been hacked and its internal data published on its own website, according to a hacker who claimed responsibility for the breach.
The hacker posted a message on pcTattletale’s website late Friday, claiming to have compromised the servers that housed pcTattletale’s operations. The spyware maker’s website briefly contained links containing files from its servers that appeared to include some stolen victim data. TechCrunch is not linking to the site given the ongoing risk to victims, whose personal data has already been compromised by the spyware.
pcTattletale founder Brian Fleming did not return an email seeking comment. It is unclear whether Fleming can receive emails due to the ongoing shutdown of his company.
The hacker did not provide a specific motive for the breach. The hack comes several days after a security researcher said he found and reported a vulnerability in the spyware app itself, which leaks screenshots of the devices it was installed on. The researcher, Eric Daigle, said did not release specific details about the flaw because pcTattletale ignored requests to fix the vulnerability.
The hacker who hacked and defaced pcTattletale’s website did not exploit the vulnerability Daigle found, but said pcTattletale’s servers could be tricked into handing over the private keys for the Amazon Web Services account, which provides access to its features spyware.
pcTattletale, a type of remote access app often referred to as “stalkerware” for its ability to track people without their knowledge or consent, allows the person who installed the app to remotely view the target’s Android or Windows device and its data from anywhere in the world. pcTattletale says the app “runs invisibly in the background on their workstations and cannot be detected.” Spyware applications are stealthy in nature and therefore difficult to detect and remove.
Earlier this week, TechCrunch revealed that pcTattletale was used to compromise front desk check-in systems at several Wyndham hotels in the United States, which leaked screenshots of guest credentials and customer information. Wyndham did not specify whether it authorized or permitted its franchisee hotels to use the spyware application on its systems.
This is the latest example of a spyware maker losing control of the highly sensitive and personal data it collects from its targets’ devices. In recent years, more than a dozen spyware and stalkerware companies have hacked or otherwise leaked victims’ personal data — in some cases multiple times — according to an ongoing count by TechCrunch.
This list of eavesdropping software manufacturers includes LetMeSpy, a spyware eavesdropper made by a Polish developer, which was shut down in June 2023 after its systems were hacked and support data was deleted. and TheTruthSpy, a phone spying software operation created and operated by Vietnamese developers, which was hacked again in February.
Other spyware makers include KidsGuard, Xnspy, Support King, Spyhide — and now, pcTattletale.
