Android-based phone monitoring app LetMeSpy has disclosed a security breach that allowed an unauthorized third-party to steal sensitive data associated with thousands of Android users.
"As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts," LetMeSpy said in an announcement on its website, noting the incident took place on June 21, 2023.
Following the discovery of the hack, LetMeSpy said it notified law enforcement and data protection authorities. It's also taking steps to suspend all account-related functions until further notice. The identity of the threat actor and their motives are currently unknown.
The work of a Polish company named Radeal, LetMeSpy is offered as a monthly subscription ($6 for Standard or $12 for Pro), allowing its customers to snoop on others simply by installing the software on their devices. An Internet Archive snapshot from December 2013 shows that it's billed as a tool for parental or employee control.
LetMeSpy comes with a wide range of features to collect call logs, SMS messages, and geolocations, all of which can be accessed from the website. In an attempt to evade detection and removal, the app's icon can be hidden from the device's home screen launcher.
As of January 2023, the stalkerware app has been used to track 236,322 phones across the world, harvesting over 63.5 million text messages, 39.7 million call logs, and 43.2 million locations.
Polish security research blog Niebezpiecznik, which first reported the breach and analyzed a dump of the stolen data, said it includes about 26,000 email addresses, 16,000 SMS messages, and a database of victims' locations.
A further review of the leaked information by TechCrunch has revealed that the data goes all the way back to 2013, when LetMeSpy became operational. The records also contain data from at least 13,000 compromised devices. A majority of the victims are located in the U.S., India, and parts of Africa.
LetMeSpy to Shut Down on August 31, 2023
Radeal, the company behind the spyware app known as LetMeSpy, said it intends to permanently discontinue the service effective August 31, 2023, following a data breach that took place in June.
"The breach consisted of unauthorized access to the LetMeSpy website's database, downloading and at the same time deleting data from the website by the author of the attack," the company said in a notice at the time.
Following the incident, the Polish firm said it had taken steps to block user account access as well as disabling the options to login and sign up. Users who have their data with LetMeSpy are recommended to directly contact the company at ibd@radeal[.]pl.
"After the expiration of retention period under the applicable law, the data stored in user accounts will be deleted," it further added. The exact data retention period is unclear, with its privacy policy stating: "we will process your personal data not longer than until you have effectively objected to such processing."
