US-made consumer spyware app pcTattletale has been hacked and its internal data published on its own website, according to the hacker who claimed responsibility for the intrusion.
Hackers posted a message on pcTattletale's website late Friday, claiming to have hacked the server on which pcTattletale operates. The spyware maker's website briefly linked to files from the company's servers that appeared to contain stolen victim data. TechCrunch is not linking to the site due to the ongoing risk to victims whose personal information has already been exposed by the spyware.
pcTattletale founder Brian Fleming did not respond to an email seeking comment, and it's unclear whether Fleming is able to receive emails because the company's service is down.
The hackers did not disclose a specific motive for the intrusion. The hack came days after a security researcher said he had discovered and reported a vulnerability in the spyware app itself that would allow screenshots of the infected device to be leaked. Researcher Eric Daigle said he did not disclose specific details about the flaw because pcTattletale ignored requests to patch the vulnerability.
The hackers who compromised and defaced pcTattletale's website did not exploit the vulnerability Daigle discovered, but said they were able to trick pcTattletale's server into handing over the private key to an Amazon Web Services account that would allow access to the spyware's operations.
pcTattletale is a type of remote access app often referred to as “stalkerware” due to its ability to track people without their knowledge or consent, allowing its hater to remotely view a target's Android or Windows device and its data from anywhere in the world. According to pcTattletale, the app “runs invisibly in the background of your workstation, making it undetectable.” Spyware apps are, by their very nature, stealthy and difficult to identify and remove.
Earlier this week, TechCrunch revealed that pcTattletale had broken into front desk check-in systems at Wyndham hotels across the U.S., leaking guest details and screenshots of customer information. Wyndham did not say whether it allowed its franchise hotels to use the spyware app on their systems.
This is the latest example of a spyware manufacturer losing control of the sensitive personal data they harvested from victims' devices. According to a running tally by TechCrunch, more than a dozen spyware and stalkerware manufacturers have been hacked in recent years, resulting in multiple leaks of victims' personal data.
The list of hacked spyware manufacturers includes “LetMeSpy,” a spyware created by a Polish developer that was shut down in June 2023 after its systems were hacked and back-end data was deleted, as well as “TheTruthSpy,” a phone spyware created and operated by a Vietnamese developer that was hacked again in February.
Hacked spyware manufacturers include KidsGuard, Xnspy, Support King, Spyhide, and now pcTattletale.