LetMeSpy phone tracking app suffers data breach, exposing user information

LetMeSpy, a widely utilized phone monitoring app marketed for parental control and employee monitoring purposes, fell victim to a significant data breach, which resulted in the unauthorized access of sensitive user information, including call logs, email addresses, telephone numbers, text messages, and location data collected from accounts dating back to 2013.

The breach, which occurred on June 21, involved hackers gaining entry into LetMeSpy’s databases, compromising the personal information of thousands of individuals who had used the app.

LetMeSpy has gained notoriety for its security vulnerabilities, with similar apps often called stalkerware or spouseware. These apps are typically installed on devices without the user’s consent or knowledge. Once embedded, LetMeSpy discreetly uploads the phone’s data to remote servers, enabling the individual who installed the app to secretly track and monitor the victim’s activities in real time.

The identity and motives of the hacker behind the LetMeSpy breach remain unclear. The hacker claimed to have gained extensive access to the company’s domain and asserted that they had deleted LetMeSpy’s databases. However, shortly after the incident, a leaked copy of the hacked database emerged online, contradicting the hacker’s claim.

The leaked database copy revealed disturbing details, containing records of over 13,000 compromised devices, with call logs and text messages spanning multiple years. The victims primarily hail from the United States, India, and Western Africa, as indicated by the location data stored within the database.

Furthermore, the leaked data included LetMeSpy’s master database, which exposed information about 26,000 customers. This database unveiled the identities of customers who used the spyware for free and the email addresses of those who purchased subscriptions.

Following the breach, LetMeSpy asserted that they had notified law enforcement authorities and the Polish data protection authority, UODO. However, the company’s ability to directly notify the affected victims remains uncertain due to the lack of identifiable information in the leaked data. This presents a challenge, as notifying the victims could potentially alert the perpetrators, thereby jeopardizing the safety of those affected.