A hacktivist has collected more than 500,000 payment records from a provider of a consumer “stalkerware” phone monitoring app, exposing some of the email addresses and payment information of customers who paid to spy on others.
The deal includes payment records for phone tracking services like Geofinder and uMobix, services like Peekviewer (formerly Glassagram) that purports to give access to private Instagram accounts, and several other monitoring and tracking apps from the same vendor, a Ukrainian company called Struktura.
The customer data also includes transaction records from Xnspy, a phone surveillance app that leaked personal data from the Android devices and iPhones of tens of thousands of unsuspecting people in 2022.
This is the latest example of a monitoring vendor leaking customer information due to a security flaw. Over the past few years, dozens of stalkerware apps have been hacked and people's personal data (often the victims themselves) have been lost, leaked, or exposed thanks to sloppy cybersecurity practices by stalkerware operators.
Contact Zack Whittaker securely via Signal username zackwhittaker.1337. Contact Lorenzo Franceschi-Bicchierai securely on Signal (+1 917 257 1382) or Telegram, Keybase and Wire @lorenzofb or email.
Once planted on someone's phone, stalkerware apps like uMobix and Xnspy upload and share the victim's personal data, including call logs, text messages, photos, browsing history, and precise location data, with the person who planted the app.
Apps like UMobix and Xnspy explicitly advertise their services to spy on spouses and domestic partners, which is illegal.
The data seen by TechCrunch included approximately 536,000 customer email addresses, the apps and brands they paid for, the amount they paid, the type of payment card (such as Visa or Mastercard), and the last four digits of the card. Customer records did not include payment dates.
TechCrunch verified the authenticity of the data by obtaining several transaction records, including disposable email addresses, in public inboxes such as Mailinator, and running those records through various password reset portals provided by various monitoring apps. By resetting the passwords for the accounts associated with public email addresses, we determined that these were genuine accounts.
We also verified the data by matching each transaction's unique invoice number from the leaked dataset to the monitoring vendor's checkout page. This is possible because the checkout page allows you to retrieve the same customer and transaction data from the server without requiring a password.
The hacktivist, who goes by the nickname “Wicked,” told TechCrunch that he scraped data from stalking software vendors thanks to a “minor” bug in the website. The hacktivist said he “enjoys targeting apps used to spy on people,” and then published the scraped data on known hacking forums.
The hacking forum listing lists the surveillance vendor as Ersten Group, which describes itself as a UK-based software development startup.
TechCrunch discovered that several email addresses in the dataset used for testing and customer support referenced Struktura, a Ukrainian company with the same website as Ersten Group. The oldest record in the dataset contains the email address of Struktura's CEO, Viktoriia Zosim, whose transaction amount was $1.
Representatives for Elsten Group did not respond to requests for comment. Struktura's Zosim did not respond to requests for comment.