TechCrunch reports that a little-known Minnesota-based spyware company has been hacked, revealing that thousands of devices around the world were under covert remote surveillance by the company.
A person with knowledge of the breach provided TechCrunch with a cache of files taken from Spytech's servers, including detailed device activity logs for phones, tablets and computers monitored by Spytech, with some files dating as recently as early June.
TechCrunch confirmed the data was authentic by analyzing some of the leaked device activity logs relating to the company's CEO, who installed spyware on one of his devices.
According to the data, Spytech's spyware, including Realtime-Spy and SpyAgent, has been used to compromise more than 10,000 devices around the world, including Android devices, Chromebooks, Macs and Windows PCs, since the first leaked records in 2013.
Spytech is the latest spyware manufacturer to be hacked in recent years, and the fourth known spyware manufacturer to be hacked this year alone, according to a TechCrunch tally.
Asked for comment, SpyTec CEO Nathan Polenczyk told TechCrunch in the email that this was “the first time I've heard about the breach, but we haven't seen any of the data that you've seen, so all I can say at this point is we're investigating everything and will take appropriate action.”
Spytech is a maker of remote access apps (also known as “stalkerware”) that are marketed as helping parents monitor their children's activities, but also for spying on spouses' and partners' devices. Spytech's website openly advertises its products for spouse monitoring, promising to “monitor your spouse's suspicious behavior.”
While it is not illegal to monitor the activities of children or employees, it is illegal to monitor a device without the owner's consent, and both spyware operators and spyware customers have been prosecuted for selling and using spyware.
Stalkerware apps are typically planted by someone with physical access to the user's device, often knowing the passcode. The apps' hidden nature makes them difficult to detect and remove. Once installed, the spyware sends keystrokes, screen taps, web browsing history, device activity usage, and, in the case of Android devices, detailed location information to a dashboard controlled by the person who planted the app.
The compromised data, seen by TechCrunch, includes logs of all devices under Spytech's control, along with records of each device's activity. Most of the devices infected with the spyware were Windows PCs, with a smaller number of Android devices, Macs, and Chromebooks.
Activity logs on the devices we reviewed were not encrypted.
TechCrunch analyzed location data from hundreds of compromised Android phones, plotting the coordinates with an offline mapping tool to protect victims' privacy. The location data sheds some light, though not all, on where at least some of Spytech's victims are located.
Hundreds of Android devices infected with Spytech spyware are plotted on a world map. Image credit: TechCrunch
Analysis of mobile-only data reveals that Spytech has large clusters of monitored devices across Europe and the US, as well as localised devices across Africa, Asia, Australia and the Middle East.
One of the records associated with Polencheck's administrator account contains the precise location of his home in Red Wing, Minnesota.
While the data includes a large amount of sensitive and personal information taken from personal devices – some of whom may not have been aware that their devices were being monitored – it does not contain enough identifying information about each compromised device to enable TechCrunch to notify victims of the breach.
When asked by TechCrunch, Spytech's CEO declined to say whether the company plans to notify customers, people whose devices were monitored, or US state authorities as required by data breach notification laws.
A spokesman for the Minnesota Attorney General's Office did not respond to a request for comment.
SpyTec's history dates back to at least 1998. The company operated mostly under the radar until 2009, when an Ohio man was convicted of using SpyTec spyware to infect the computer systems of a nearby children's hospital and target the email account of his former partner, who worked there.
When the ex-partner opened the attached spyware, it infected the children's hospital's systems and, prosecutors say, collected sensitive health information, according to local media reports at the time and court records reviewed by TechCrunch. The person who sent the spyware pleaded guilty to unlawful interception of electronic communications.
Spytech is the second US-based spyware manufacturer to suffer a data breach in recent months. In May, Michigan-based pcTattletale was hacked and its website defaced, after which the company shut down and deleted its stores of victim device data rather than notifying affected individuals.
Data breach notification service Have I Been Pwned subsequently obtained a copy of the compromised data and listed 138,000 customers signed up to the service.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) offers free, confidential support to victims of domestic abuse and violence 24/7. In an emergency, call 911. If you believe your phone has been compromised by spyware, the Coalition Against Stalkerware has resources.