Spyware app LetMeSpy hacked, tracked user data posted online

Stalkerware-type app LetMeSpy says it has been hacked, with the attacker taking user data with it.

From the message posted to the login screen on the LetMeSpy website:

On June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.

As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts.

To be clear, much of the data that was stolen is the data from the phone which has the tracking app on it, which has likely been installed without the phone owner’s knowledge. That’s because LetMeSpy is often invisible to the phone’s owner. 

So as long as someone can get quick access to install an app on your Android phone, they can monitor you. Once the app is on your phone, you often can’t tell it’s there. However, in the background, it is maliciously uploading all your calls, texts, and location to the LetMeSpy servers, which is what has now been hacked.

These sorts of apps have been used by people wanting to monitor their partner’s movements, along with parents and employers.

Polish site Niebezpiecznik first reported the breach. In the database file which was later dumped online, the blog said there was:

  • 26,000+ email addresses of the tool’s “operators” along with hashes of their passwords.
  • 16,000+ text messages, including passwords and codes for various services
  • Telephone numbers of people who had contacted the tracked phones
  • Telephone numbers of the people whom the tracked phone owner had called (along with the names associated with them in the contacts list)
  • Database dump in SQL format, containing more data, including locations

Spokesman Adam Sanocki for the Polish data protection authority UODO confirmed to TechCrunch that it had received a breach notice from LetMeSpy. When many breaches happen, the affected company should inform users that their data has been breached. But the users of the service here are the ones tracking people, and, sadly, it’s unlikely they’re going to let the people they are spying on know that their data has been taken.

How to prevent spyware and stalkerware-type apps

  • Set a screen lock on your phone and don’t let anyone else access it
  • Keep your phone up-to-date. Make sure you’re always on the latest version of your phone’s software.
  • Use an antivirus on your phone. Malwarebytes for Android shows you exactly what information you’re sharing with each app on Android, so you can keep an eye on your privacy. Malwarebytes detects the LetMeSpy app as Android/Monitor.LetMeSpy.

Coalition Against Stalkerware

Malwarebytes is a founding member of the Coalition Against Stalkerware. We continue to share intelligence with the Coalition Against Stalkerware to improve industry-wide detections while also guiding the domestic abuse support networks within the coalition through thorny, technical questions of detection, removal, and prevention.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.