Commercial spyware firm pcTattletale has been hacked, with data it stole from its victims published on the website, which was also defaced.
Commercial spyware, also known as stalkerware, or spouseware, is a piece of software designed to spy on people, and in essence is very similar to malware. A person (or an entity) purchases the software from the website, and secretly installs it on the target device. After that, the software leaks sensitive data to the owner, including location data, messages, call logs, documents, and more.
This type of software is often advertised as a way for parents to monitor their kids’ online activity, or keep track of them while they are away from home. However, it is usually used by untrusting spouses, people with malicious intent, and similar.
Legal battles
According to TechCrunch, the unnamed hacker who breached pcTattletale did it by tricking the program’s servers into giving away private keys for the Amazon Web Services account. The same publication also said that a separate security researcher warned about a vulnerability they had discovered in the app a few days prior.
Apparently, the company did not bother fixing the bug, but the hacker also didn’t abuse it in the attack, but rather found a different vector. They did not provide a specific motive for the attack, it was added.
The company or its founders did not yet comment on the breach. The website is currently offline and inaccessible.
Earlier in 2024, two notorious stalkerware apps had their websites and all other infrastructure pushed offline – PhoneSpector, and Highster. Both were forced offline after a legal process against their owner, Patrick Hinchy.
At the time, the media reported Hinchy running multiple technology companies develop the two stalkerware apps, and was accused of “aggressively” promoting them.
New York Attorney General Letitia James argued that the companies published blogs that “explicitly encouraged” people to use these apps to spy on their significant others. During the process, Hinchy folded and settled with the State, agreeing to pay a fine and to notify device owners that their phones are being tracked. He was also forced to pay $410,000.