An infamous seller of iOS and Android spyware app, TheTruthSpy, has been hacked. The company was criticized for selling spyware primarily to domestic abusers and openly marketing about it. The company markets its spyware as the best solution for spying upon cheating husbands and claims the software to be undetectable. Yet the company couldn’t protect its own website from being targeted by an unknown hacker.
Reportedly, TheTruthSpy has been hacked by a person using the initials L.M for personal identification. The hacker informed Motherboard that he managed to obtain access to the company’s servers in February 2018. He not only accessed the servers but also stole login IDs, passwords, audio files, photos, location information, text messages content, social media chats, and other data. The audio files were actually intercepted conversations that were recorded from victims’ phones.
L.M. hacked into TheTruthSpy’s media server using reverse engineering tactics. He managed to reverse engineer the Android app to identify a flaw within the server. Once the server was infiltrated, L.M. discovered unique IDs of many customers along with audio files titled “cell phone ID_date_time.”
For so many months, the hacker bragged, he was able to control “victims all over the world.” He had admin access to the company’s servers and over 10,000 customer accounts of TheTruthSpy in his control. He also noted that many of the customers were re-using the same passwords for their email, Amazon, and PayPal accounts. He said that although he could easily have stolen money he didn’t do so.
“This data is very dangerous. You can know everything about any person, and also you know the attacker identity. It is very easy to ransomware them, and gain a lot of dirty money,” stated L.M.
The data breach was verified by Motherboard this week after obtaining a sample of login credentials from L.M. Around half of them were active customer accounts of TheTruthSpy. To verify the data, Motherboard used the email addresses that were provided by customers at the time of registration. But it wasn’t possible in all the cases as not all email addresses matched.
The access to the servers of TheTruthSpy was lost by L.M recently after the company updated them. L.M. harshly criticized the company’s lack of respect for user privacy and security of private data. In an online chat with Motherboard, L.M. stated:
“They take care about how to spy, and not take care about how they secure the attackers’ and victims’ privacy.”
This isn’t the first time a spyware seller has become a victim of the targeted attack, but the 7th one in the list of data breaches involving spyware firms in the last two years. TheTruthSpy is already a controversial player in the tech industry and has now gotten a taste of its own medicine probably.