Stalkerware Vendor Hacked

The stalkerware company LetMeSpy has been hacked:

TechCrunch reviewed the leaked data, which included years of victims’ call logs and text messages dating back to 2013.

The database we reviewed contained current records on at least 13,000 compromised devices, though some of the devices shared little to no data with LetMeSpy. (LetMeSpy claims to delete data after two months of account inactivity.)

[…]

The database also contained over 13,400 location data points for several thousand victims. Most of the location data points are centered over population hotspots, suggesting the majority of victims are located in the United States, India and Western Africa.

The data also contained the spyware’s master database, including information about 26,000 customers who used the spyware for free and the email addresses of customers who bought paying subscriptions.

The leaked data contains no identifying information, which means people whose data was leaked can’t be notified. (This is actually much more complicated than it might seem, because alerting the victims often means alerting the stalker—which can put the victims into unsafe situations.)

Tags: , ,

Posted on June 28, 2023 at 7:17 AM7 Comments

Comments

Ted June 28, 2023 11:09 AM

@Winter
What are your thoughts on this from maia arson crimew:

what’s going to be interesting in this specific case is where the gdpr liability lies, is it on LMS or on the operators to inform victims, if we’re lucky this could already be enough to bring them down. [my emphasis]

At this time, I don’t know if LMS is already down. The TC article says the “[t]he hacker intimated that they deleted LetMeSpy’s databases stored on the server.”

Does the name of the file sent to maia (jaki_kraj_taki_finfisher. tar) mean anything to you?

Ted June 28, 2023 11:11 AM

@Winter
What are your thoughts on this from maia arson crimew:

what’s going to be interesting in this specific case is where the gdpr liability lies, is it on LMS or on the operators to inform victims, if we’re lucky this could already be enough to bring them down. [my emphasis]

At this time, I don’t know if LMS is already down. The TC article says the “[t]he hacker intimated that they deleted LetMeSpy’s databases stored on the server.”

Does the name of the file sent to maia (jaki_kraj_taki_finfisher. tar) mean anything to you?

Winter June 28, 2023 11:38 AM

@Ted

What are your thoughts on this from maia arson crimew:

That is a question for the legal experts.

If the data is not Personal Identifiable Data (PID) and cannot be traced to natural persons, it does not fall under the GDPR. Also, the GDPR only covers Europe and Europeans. So what follows only holds for any data from Europe.

BUT, time-location data is PID, as are call logs. Storing these requires a legal “reason”, eg, informed consent from the person identified. LetMeSpy is only a data processor, so must rely on the legal status of their clients who are the Data Controllers.

From the context, any PID from Europe would require the clients of LetMeSpy proving legally valid reasons to collect and store the data, which most certainly will be considered PID, which I seriously doubt they could. LetMeSpy is not of the hook in this case as they obviously would know that their clients did collect the data illegally.

Being definitely in the wrong, LetMeSpy would be the target of police and judicial system.

But all hinges on whether there is data from Europe and whether anyone will find it urgent enough to prosecute.

For instance, several EU countries have shown extremely cavelier attitudes towards procecuting crimes against women. I would not be very surprised if stalkers would not be effectively prosecuted in these countries.

Ted June 28, 2023 6:05 PM

Thanks @Winter.

BUT, time-location data is PID, as are call logs.

It looks like the data did include call logs, geolocations, IP addresses, payment logs, email addresses, etc.

In their breach notice LMS said they had notified law enforcement and the Polish data protection authority, UODO. (LMS was apparently a Polish developer.)

Here is a toot linking to maia’s blog post. I think the filter may have blocked a direct link to the post due to language in the URL.

lurker June 29, 2023 3:55 PM

@Ted
foo.finfisher.tar

An old one, must still be a good one. I thought I had seen finfisher snooping at my MacOS server earlier than 2008, but that’s when Wikip says it first appeared exploiting a flaw in iTunes.

Ted June 29, 2023 6:43 PM

@lurker
A security research blog who first reported the breach had emailed the company, and the hacker actually responded. They even described the initial attack vector:

“SQL injection in API login. SMS content and phone numbers in the database were encrypted, but I changed the user_id to my own and plaintext of all messages and numbers was visible in the browser.”

https://niebezpiecznik.pl/post/letmespy-android-wyciek-hacked/

lurker June 30, 2023 1:20 AM

@Ted

SQL injection on API login?
That’s an oldie and a goodie too.
As @Clive might say,
They just never learn …

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.