Spyware Company That Marketed to Domestic Abusers Gets Hacked

A hacker broke into the servers of TheTruthSpy, one of the most notorious stalkerware companies out there, and stole logins, audio recordings, pictures, and text messages, among other data.

|
Aug 28 2018, 6:08pm

Image: Shutterstock

This story is part of When Spies Come Home, a Motherboard series about powerful surveillance software ordinary people use to spy on their loved ones.

A company that sells spyware to consumers specifically and openly marketing its product to domestic abusers got hacked.

The hacker, who only goes by the initials L.M., told Motherboard in February that he gained access to the servers of TheTruthSpy, a company that sells an Android and iOS spy app to consumers,. The hacker was able to steal logins and passwords, pictures, audio recordings intercepted from victim’s phones, text messages, location information, and social media chats, among other data.

“I control victims all over the world,” the hacker told me a few months ago, when they first reached out claiming they had compromised the company. “I [have] admin access to the servers.”

L.M. said there are “more than 10,000” TheTruthSpy customer accounts.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

Motherboard was able to verify the breach this week after L.M. shared a sample of usernames and logins of TheTruthSpy customers. We verified that around half of those were active TheTruthSpy accounts by attempting to use their respective email address to create a new account. In many cases this was not possible, with the site saying a user with that address already exists.

“They take care about how to spy, and not take care about how they secure the attackers’ and victims’ privacy,” L.M. told me in an online chat, criticizing the company.

The hacker said he lost access recently when TheTruthSpy updated its servers.

TheTruthSpy did not respond to multiple requests for comment sent via its official website’s contact form.

A screenshot of a blog post published by TheTruthSpy.

This is the seventh company that sells spyware to average consumers that’s been breached in the last two years. Several hackers have targeted the sketchy industry of consumer spyware, exposing their mediocre security and questionable ethics. TheTruthSpy has often been used as an example of a questionable player in the industry. The company has published several blog posts pitching its products as a solution to “spy on your cheating husband,” given that it’s “undetectable” and “silent.”

“Although there are a handful of companies marketing substandard Husband spy programs on the market today, there exists a few genuine products as well that are worth considering,” a company blog post reads. “One of my favorite software to spy on your cheating husband is TheTruthSpy which is known for its quality and top notch features.”

The founder of StealthGenie, another company that openly marketed its spyware to abusive partners, was arrested and indicted in 2014. In the United States, selling spyware to parents or employers is not considered illegal. But if a company markets its product to adults for use on other adults, that’s considered a crime.

Read More: When Technology Takes Hostages: The Rise of 'Stalkerware'

L.M. said he was able to hack into the company’s media server after reverse engineering the Android app and finding a vulnerability. Inside the media server, L.M. said he saw the unique IDs of all customers within audio files, which were named “cell phone ID_date_time.”

At that point, the hacker said, they requested the user credentials by sending the ID to the company servers with a web request that returned usernames and passwords in plaintext. With a script to automate that process, L.M. said he harvested all the customers’ credentials.

“Any black hat hacker can fuck them and turn their life into a hell.”

The hacker warned that a lot of the customers re-used the same passwords for their email, PayPal or Amazon accounts. L.M. said he logged into those accounts but did not steal any money.

“This data is very dangerous. You can know everything about any person, and also you know the attacker identity. It is very easy to ransomware them, and gain a lot of dirty money,” L.M. told me. “Any black hat hacker can fuck them and turn their life into a hell.”

Joseph Cox contributed reporting.

Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.