Commercial spyware company pcTattletale has been hacked and the data it stole from its victims was published on the website, which was also defaced.
Commercial spyware, also known as stalkerware or spouseware, is software designed to spy on people and is, in essence, very similar to malware. A person (or entity) purchases the software from the website and secretly installs it on the target device. After that, the software leaks sensitive data to the owner, including location data, messages, call logs, documents, and more.
This type of software is often advertised as a way for parents to monitor their children's online activity or track them while they are away from home. However, it is often used by distrustful spouses, people with malicious intentions, and the like.
Legal battles
According TechCrunch, the anonymous hacker who breached pcTattletale did so by tricking the program's servers into revealing private keys for the Amazon Web Services account. The same post also said that an independent security researcher warned about a vulnerability they had discovered in the app a few days earlier.
Apparently, the company didn't bother to fix the bug, but the hacker didn't abuse it in the attack either, instead finding a different vector. They did not provide a specific motive for the attack, he added.
The company or its founders have not yet commented on the breach. The website is currently offline and inaccessible.
In early 2024, two notorious stalkerware apps had their websites and entire infrastructure offline: PhoneSpector and Highster. Both were forced to pull the plug after legal proceedings against their owner, Patrick Hinchy.
At the time, media reported that Hinchy, who ran several technology companies, developed the two stalkerware apps and was accused of “aggressively” promoting them.
New York Attorney General Letitia James argued that the companies published blogs that “explicitly encouraged” people to use these apps to spy on their loved ones. During the process, Hinchy relented and settled with the state, agreeing to pay a fine and notify device owners that their phones are being tracked. He was also forced to pay $410,000.
