Cyber Incident Victim: LetMeSpy

On June 28, 2023, Polish stalkerware developer Radeal disclosed a cyberattack against its LetMeSpy Android monitoring application, resulting in unauthorized access to sensitive user data. LetMeSpy, marketed for parental control and employee monitoring, operated by stealthily collecting call logs, text messages, and device location data from phones where it was installed, then uploading this information to remote servers accessible to the installer. The application concealed its presence by hiding its icon from device home screens, facilitating covert surveillance. Radeal announced the breach via a notification on the LetMeSpy login page, confirming attackers compromised "data of website users" including email addresses, telephone numbers, and the content of messages stored in accounts. The company suspended all account-related website functions following the intrusion and initiated mitigation efforts while notifying law enforcement authorities.

Security researcher Maia Arson Crimew’s analysis of the stolen data revealed the attackers exfiltrated extensive records beyond initially disclosed categories, encompassing call logs, user IDs, password hashes, geolocation logs, IP addresses, payment logs, and phone information. The dataset indicated LetMeSpy had been installed on approximately 10,000 devices globally, though a substantial portion showed no recent activity. Crimew identified compromised accounts belonging to at least three government workers, a Broussard police officer, and an employee of a competing stalkerware firm, though no usage activity was observed from these entities. A significant concentration of affected users consisted of U.S. college students, suggesting potential misuse for intimate partner surveillance. The breach additionally exposed global configuration data for LetMeSpy’s infrastructure. Radeal did not specify the attack vector or provide a timeline for service restoration beyond its initial suspension announcement.