“As a result of the attack, criminals gained access to email addresses, telephone numbers and the content of messages collected on the accounts,” LetMeSpy said in an announcement on its website. This event happened on June 21, 2023.
After discovering the hack, LetMeSpy said it notified law enforcement and data protection authorities. It is also taking steps to suspend all account-related operations until further notice. The identity of the actor making the threats and their intentions are currently unknown.
The work of a Polish company named Radial, LetMeSpy is offered as a monthly subscription ($6 for Standard or $12 for Pro), allowing its customers to spy on others by installing the software on their devices. An Internet Archive snapshot from December 2013 shows that it is presented as a tool for parental or employee controls.
LetMeSpy comes with a wide range of features to collect call logs, SMS messages and geolocations, all of which can be accessed from the website. In an effort to avoid detection and removal, the app’s icon may be hidden from the device’s home screen launcher.
As of January 2023, the Stalkerware app has been used to track 236,322 phones worldwide, including over 63.5 million text messages, 39.7 million call logs, and 43.2 million locations.
Polish security research blog Niebezpiecznik, which first reported the breach and analyzed the dump of stolen data, said it included about 26,000 email addresses, 16,000 SMS messages and a database of victims’ locations.
A further review of the leaked information by TechCrunch revealed that the data dates back to 2013, when LetMeSpy was operational. The record also includes data from at least 13,000 compromised devices. Most of the victims are located in the Americas, India and parts of Africa.