Spyware Maker LetMeSpy Says a Hacker Stole Client Data, Including Text Messages

LetMeSpy, a provider of monitoring software for Android devices, has issued a security notice to inform customers that a hacker broke into its servers and stole sensitive data.

The vendor advertises its product as making it possible to control a phone from afar, read text messages, see call logs and track the phone’s location – essentially the definition of spyware.

Installing the app requires physical access to the target device and a bit of tinkering with the phone’s permissions to install apps from unofficial sources (aka sideloading).

In a breach notice on its website, the developer says that “on June 21, 2023, a security incident occurred involving obtaining unauthorized access to the data of website users.”

“As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts,” according to the memo.

The company disabled the service immediately after learning it got hacked, noting that it plans to restore functionality once the vulnerability the hacker exploited is patched.

“Additional measures will also be taken to increase the level of data security,” it adds.

The breach was originally reported by Polish news outlet niebezpiecznik.pl, which contacted the company for comment but received an answer from the attacker itself, who claimed to have seized broad access to the spyware maker’s domain. The matter was subsequently reported by TechCrunch.

According to the US publication, a copy of the hacked database appeared online the very day the incident occurred.

Transparency collective DDoSecrets obtained a copy of the data and shared it with TechCrunch for the purposes of journalism. According to the news site, the cache includes “years of victims’ call logs and text messages dating back to 2013.”

The database also includes more than 13,400 location data points for several thousand victims, mostly centered over population hotspots in the US, India and Western Africa.

LetMeSpy says it has notified law enforcement and the Office for Personal Data Protection about the incident. The company instructs users to “exercise extreme caution when receiving suspicious messages.”

Bitdefender strongly recommends Android users refrain from sideloading apps from venues not vetted by Google. Android users should also consider installing a trusted security solution like Bitdefender Mobile Security to stay safe from online threats at all times, including spyware.

Bitdefender Digital Identity Protection lets you instantly find out if your data has leaked in a breach, what type of information was compromised, what risks you face, and whether your information is for sale on the Dark Web.