Cyber Incident Victim: TheTruthSpy
Date:
Feb 2018
Location:
United States of America
Summary
A hacker compromised servers of TheTruthSpy, a consumer spyware firm openly marketing products for monitoring partners, stealing extensive sensitive data including customer credentials, intercepted communications, location information, and media files. The attacker exploited a vulnerability discovered through reverse-engineering the company's Android app, gaining administrative access that exposed over 10,000 accounts and highlighted inadequate security measures like plaintext credential storage. The breach revealed risks to both surveillance victims and perpetrators, with compromised customer credentials enabling potential access to external accounts like email or payment services. This incident reflects broader security failures within the consumer spyware industry, where multiple similar providers have been breached, exposing ethically questionable practices and operational vulnerabilities. The company did not respond to inquiries regarding the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2018, a hacker identifying themselves as L.M. breached the servers of TheTruthSpy, a consumer spyware company openly marketing its products to individuals seeking to monitor spouses or partners without consent. L.M. gained administrative control over TheTruthSpy’s infrastructure, exfiltrating extensive data including customer account credentials, intercepted audio recordings, text messages, location histories, social media communications, and photographs from compromised devices. The hacker claimed access to records of more than 10,000 customers and their victims, asserting control over "victims all over the world." L.M. attributed the breach to poor security practices by TheTruthSpy, criticizing the company’s prioritization of surveillance capabilities over data protection. Motherboard verified the breach in August 2018 by testing a sample of stolen credentials; approximately half of the email addresses were confirmed as active TheTruthSpy accounts based on registration collision checks. The hacker lost access following server updates by TheTruthSpy, which did not respond to multiple requests for comment regarding the incident.
The breach occurred after L.M. reverse-engineered TheTruthSpy’s Android application, identifying a vulnerability that allowed access to a media server containing audio files labeled with victim device IDs and timestamps. By automating web requests using these IDs, L.M. harvested plaintext usernames and passwords for all customer accounts. The hacker noted that many customers reused these credentials for email, PayPal, and Amazon accounts, creating opportunities for financial exploitation or ransomware attacks, though L.M. claimed not to have monetized the access. This incident marked the seventh compromise of a consumer spyware vendor within two years, exposing systemic security deficiencies across an industry frequently criticized for enabling domestic abuse. TheTruthSpy had previously promoted its software as "undetectable" and "silent" in blog posts advising users on spying on "cheating" partners, a marketing approach that led to criminal charges against executives of comparable firms like StealthGenie in 2014 under U.S. laws prohibiting the sale of spyware for surveillance between adults.