Cyber Incident Victim: Radeal

On or around June 28, 2023, the Polish application development company Radeal, creator of the Android monitoring software LetMeSpy, publicly disclosed it had fallen victim to a significant cyberattack. The company posted an incident notification directly on the application's login page to inform its user base of the breach. This notification stated that the incident involved unauthorized access to the data of the website's users. As a direct consequence of this attack, the perpetrators successfully exfiltrated a substantial volume of sensitive information from Radeal's systems.

The LetMeSpy application itself is a free tool designed for installation on Android mobile devices. Its stated purpose is to provide parental control and employee monitoring capabilities. In practice, however, the application functions as stalkerware, enabling a user to spy on an individual after the software has been installed on their device, often without their knowledge or consent. A key feature of the application that facilitates its covert use is its ability to hide its icon from the device's home screen upon installation. This design prevents detection and makes its removal difficult for the person being monitored. The application operates by continuously collecting a wide array of personal data from the infected phone, including detailed call logs, the content of text messages, and the device's precise geolocation information. This collected data is then transmitted and uploaded to remote servers controlled by Radeal, where the individual who installed the spyware can access it to track the monitored person in near real-time.

According to the analysis of the stolen data by security researcher Maia Arson Crimew, who received a copy of the information allegedly taken in the attack, the scope of the compromise was extensive. The attackers gained access to a broad spectrum of data categories stored within Radeal's systems. The stolen information included the email addresses and telephone numbers of the individuals who had created accounts to use the LetMeSpy service. Furthermore, the content of the messages that had been collected from the monitored devices was also taken. Beyond this, the breach encompassed highly sensitive data directly siphoned from the phones under surveillance, such as comprehensive call logs and detailed location logs. The compromise also extended to technical and administrative information, including user IDs, hashed passwords, IP addresses, payment logs, and specific phone information. Crimew also noted that global configuration data for the LetMeSpy website was part of the stolen data set.

An analysis of the compromised records provided insight into the scale of the LetMeSpy operation. The data indicated that the application had been installed on approximately 10,000 individual phones. However, a significant percentage of these devices were noted as having never sent any subsequent activity updates to the servers, suggesting many installations may have been inactive or abandoned. The stolen information also revealed details about the types of individuals who had subscribed to the service. Crimew's review identified that at least three government workers, a police officer from Broussard, and an employee working for a rival stalkerware company had registered for LetMeSpy accounts, though their accounts did not appear to have been actively used. A notable observation was that a significant number of the application's users were determined to be college students in the United States, with the implication that they were likely using the software to spy on their partners.

In immediate response to the discovery of the cyberattack, Radeal took containment actions. The company suspended all account-related functions of the LetMeSpy website. This action effectively disabled the ability for users to access their accounts and the data collected from the monitored devices, a step taken to prevent further unauthorized access and to secure the systems while the incident was addressed. Radeal communicated that these functions would be restored only after the company had successfully mitigated the ongoing attack and secured its infrastructure. Furthermore, Radeal followed standard incident response protocol by informing relevant law enforcement agencies about the breach.

The primary impact of the incident was the theft of a vast trove of highly sensitive personal information. The victims of this breach are twofold: the individuals who registered for the LetMeSpy service and, more significantly, the thousands of people who had the spyware installed on their phones without their knowledge. For the monitored individuals, the compromise meant that their private communications, including the contents of their text messages and their call histories, along with their precise movements as recorded by location logs, were now in the hands of unauthorized malicious actors. For the users who installed the software, their account details, including email addresses and telephone numbers, were also exposed. The exposure of hashed passwords and payment logs created additional risks for those account holders. The breach of global site configuration data also posed a significant security risk to the integrity of the LetMeSpy platform itself. The incident demonstrated the severe secondary privacy risks inherent in stalkerware applications, where a security failure at the central operator exposes the victims of surveillance to an additional, wider breach of their intimate personal data.