In recent years, stalkerware companies have increasingly found themselves vulnerable to cyberattacks and significant data exposures. At least 23 such companies have suffered from hacking incidents or considerable leaks of sensitive data. These incidents expose the personal information of countless individuals, raising pressing concerns over privacy and security. Notably, companies such as SpyHuman, SpyFone, and mSpy have been at the forefront of these vulnerabilities, with hackers exploiting weaknesses in their systems to access sensitive user data.
SpyHuman, an India-based stalkerware vendor, was a victim of a data breach in 2023, where hackers successfully stole text messages and call metadata. This breach highlights the critical vulnerabilities present within the stalkerware industry. Similarly, SpyFone's lack of adequate security measures led to significant exposure when it left an Amazon-hosted S3 storage bucket unprotected online. This exposed a trove of sensitive customer data to anyone with the means to access it.
FamilyOrbit inadvertently left 281 gigabytes of personal data online, secured only by a password that was easily discoverable. The incident underscores the negligence in securing private data that is pervasive among stalkerware companies. In another instance, mSpy leaked over 2 million customer records in 2018, illustrating a recurring pattern of inadequate data protection.
Xnore, another company in the sector, experienced a breach that allowed customers to view personal data of other users' targets, including chat messages and GPS coordinates. This breach not only compromised individual privacy but also highlighted ethical concerns regarding the use of such software.
MobiiSpy's lack of security led to 25,000 audio recordings and 95,000 images being accessible to anyone who knew where to look. Such exposure raises questions about the potential misuse of personal data collected by stalkerware applications. Similarly, KidsGuard had a misconfigured server that leaked victims' content, further emphasizing the industry's widespread security issues.
pcTattletale exposed screenshots of victims' devices uploaded in real time to a publicly accessible website. This breach underscores the lack of privacy protections for individuals monitored by these applications. Xnspy's developers left sensitive credentials and private keys within the app's code itself, allowing unauthorized access to victims' data.
Cocospy and Spyic both left victims' messages, photos, call logs, and other personal data exposed online due to inadequate security measures. Copy9 suffered a breach where hackers stole all surveillance target data, including text and WhatsApp messages.
Some companies have faced severe consequences following breaches. LetMeSpy shut down after hackers breached and wiped its servers entirely. WebDetetive experienced similar turmoil when its servers were hacked and wiped twice. mSpy's history of breaches includes an incident that exposed millions of customer support tickets containing personal data.
Eva Galperin, a vocal advocate against stalkerware, explained the broader implications of these vulnerabilities:
"Stalkerware does not exist in a vacuum. Stalkerware is part of a whole world of tech-enabled abuse." – Eva Galperin
Galperin noted that while hacking incidents might disrupt operations temporarily:
"I do think that these hacks do things. They do accomplish things, they do put a dent in it." – Eva Galperin
However, she cautioned against assuming these breaches would eliminate stalkerware:
"But if you think that if you hack a stalkerware company, that they will simply shake their fists, curse your name, disappear in a puff of blue smoke and never be seen again, that has most definitely not been the case." – Eva Galperin
She painted a picture of resilience within the industry:
"What happens most often, when you actually manage to kill a stalkerware company, is that the stalkerware company comes up like mushrooms after the rain." – Eva Galperin
One hacker involved in previous compromises expressed determination to continue exposing stalkerware vulnerabilities:
"I’m going to burn them to the ground, and leave absolutely nowhere for any of them to hide." – A hacker involved in a previous compromise
The hacker further elaborated on their hopes for the industry's downfall:
"I hope they’ll fall apart and fail as a company, and have some time to reflect on what they did. However, I fear they might try and give birth to themselves again in a new form. But if they do, I’ll be there." – A hacker involved in a previous compromise
Leave a Reply