Last week, an unknown hacker broke into the servers of American tracking software manufacturer pcTattletale. The hacker then stole and leaked the company’s internal data. They also defaced the official pcTattletale website in an attempt to embarrass the company.
“This took a total of 15 minutes after reading the Techcrunch article,” the hackers wrote in the defacement, referencing a recent TechCrunch article in which we reported that pcTattletale was being used to monitor multiple recording computers at the front desk of Wyndham hotels across the United States. States.
As a result of this hack, leak, and shame operation, pcTattletale founder Bryan Fleming said he was shutting down his business.
Mainstream spyware apps like pcTattletale are commonly known as tracking software because jealous spouses and partners use them to surreptitiously monitor and monitor their loved ones. These companies often explicitly market their products as solutions to catching cheating partners by encouraging illegal and unethical behavior. And numerous court cases, journalistic investigations, and surveys of domestic violence shelters have shown that online harassment and surveillance can lead to real-world harm and violence.
This is why hackers have repeatedly targeted some of these companies.
By TechCrunch’s count, with this latest hack, pcTattletale became the 20th harassment software company since 2017 known to have had its customers’ and victims’ data hacked or leaked online. That’s not a typo: twenty tracking software companies have been hacked or had significant data exposure in recent years. And three tracking software companies have been hacked multiple times.
Eva Galerpin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has investigated and combated harassment software for years, said the harassment software industry is an “easy target.” “The people who run these companies may not be the most scrupulous or really concerned about the quality of their products,” Galperin told TechCrunch.
Given the history of tracking software compromises, that may be an understatement. And because of the lack of care taken to protect their own customers – and therefore the personal data of tens of thousands of unwitting victims – the use of these apps is doubly irresponsible. Stalkerware clients can break the law, abuse their partners by illegally spying on them and, on top of that, put everyone’s data at risk.
A story of stalkerware hackers
The wave of tracking software breaches began in 2017 when a group of hackers consecutively hacked US-based Retina-X and Thailand-based FlexiSpy. These two hacks revealed that the companies had a total of 130,000 customers worldwide.
At the time, the hackers who claimed – proudly – responsibility for the compromises explicitly stated that their motivations were to expose and hopefully help destroy an industry they view as toxic and anti-social. ethics.
“I will burn them to ashes and leave no place to hide,” one of the hackers involved in the motherboard said then.
Referring to FlexiSpy, the hacker added: “I hope they collapse and fail as a company, and have time to think about what they did.” However, I fear that they will attempt to give birth again in a new form. But if they do, I’ll be there.
Despite the hack and years of negative public attention, FlexiSpy is still active today. The same cannot be said for Retina-X.
The hacker who broke into Retina-X wiped its servers in an attempt to hamper its operations. The company rebounded, then was hacked again a year later. A few weeks after the second breach, Retina-X announced its closure.
Just days after the second Retina-X breach, hackers attacked Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, as well as victims’ intercepted messages and precise GPS locations. Another tracking software provider, India-based SpyHuman, met a similar fate a few months later, with hackers stealing text messages and call metadata, which contained logs of who called whom and when.
A few weeks later, there was the first case of accidental data exposure, rather than a hack. SpyFone left an Amazon-hosted S3 storage bucket unprotected online, meaning anyone could view and download text messages, photos, audio recordings, contacts, location, passwords scrambled and login information, Facebook messages and much more. All of this data was stolen from victims, most of whom had no idea that they were being spied on, much less that their most sensitive personal data was also on the Internet for everyone to see.
Other stalking software companies that over the years have irresponsibly left their customers’ and victims’ data online include FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easy password to find ; mSpy, which leaked more than 2 million customer records; Xnore, which allowed any of its customers to view the personal data of other customers’ targets, including chat messages, GPS coordinates, emails, photos and more; Mobiispy, which left 25,000 audio recordings and 95,000 images on a server accessible to all; KidsGuard, whose server was misconfigured and which leaked victims’ content; pcTattletale, which, before its hack, also exposed screenshots of victims’ devices uploaded in real time to a website accessible to anyone; and Xnspy, whose developers left credentials and private keys in the apps’ code, allowing anyone to access victims’ data.
Other tracking software companies that were hacked included Copy9, which saw a hacker steal data from all of its surveillance targets, including text messages and WhatsApp messages, call records , photos, contacts and browsing history; LetMeSpy, which shut down after hackers breached and wiped its servers; the company WebDetetive, based in Brazil, whose servers were also wiped, then hacked again; OwnSpy, which provides much of the backend software for WebDetetive, was also hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to access master databases and years of stolen data from approximately 60,000 victims; and Oospy, which was a new brand from Spyhide, closed its doors for a second time.
Finally, there’s TheTruthSpy, a network of stalkerware apps, which holds the dubious record of having been hacked or leaked data on at least three occasions.
Hacked, but unrepentant
Of those 20 tracking software companies, eight have closed their doors, according to TechCrunch’s count.
In a first, so far unique, case, the Federal Trade Commission banned SpyFone and its chief executive, Scott Zuckerman, from operating in the surveillance industry following an earlier security breach that exposed victim data. Another stalkerware operation linked to Zuckerman, called SpyTrac, was later shut down following an investigation by TechCrunch.
PhoneSpector and Highster, two other companies that were not hacked, also shut down after the New York attorney general accused the companies of explicitly encouraging customers to use their software for illegal surveillance.
But closing a business doesn’t mean it’s gone forever. As with Spyhide and SpyFone, some of the same owners and developers behind a closed stalkerware maker simply changed their name.
“I think these hacks do things. They accomplish things, they put a stop to it,” Galperin said. “But if you think that if you hack into a stalker software company they’ll just clench their fists, curse your name, disappear in a cloud of blue smoke and never be seen again, that certainly doesn’t matter. not been the case.”
“What happens most often when you manage to kill a harassment software company is that that harassment software company springs up like mushrooms after rain,” Galperin added.
There is some good news. In a report last year, security firm Malwarebytes said the use of tracking software was declining, according to its own data on customers infected with this type of software. Additionally, Galperin reports seeing an increase in negative reviews of these apps, with customers or potential customers complaining that they don’t work as expected.
But Galperin said it’s possible that security companies are no longer as good at detecting stalking software as they used to be, or that stalkers have moved from software monitoring to physical monitoring enabled by AirTags and d other Bluetooth compatible trackers.
“Stalkerware does not exist in a vacuum. Stalkerware is part of an entire world of technological abuse,” Galperin said.
Say no to harassment software
Using spyware to monitor your loved ones is not only unethical, but also illegal in most jurisdictions, as it is considered illegal surveillance.
This is already a good reason not to use stalkerware. Then there’s the problem that tracking software makers have proven time and time again that they can’t secure data – neither data belonging to customers, nor their victims or targets.
In addition to spying on romantic partners and spouses, some people use stalkerware apps to monitor their children. While this type of use, at least in the United States, is legal, that doesn’t mean that using tracking software to spy on your kids’ phone isn’t creepy and unethical .
Even if it’s legal, Galperin thinks parents shouldn’t spy on their children without telling them and without their consent.
If parents tell their kids and get the go-ahead, they should stay away from insecure and unreliable stalkerware apps, and use parental tracking tools built into Apple phones and tablets and safer Android devices and operate openly.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential 24/7 assistance to victims of domestic violence and violence. If you are in an emergency situation, call 911. Coalition Against Harassment Software has resources if you think your phone has been compromised by spyware.
techcrunch
