Stalkerware slinger LetMeSpy shuts down for good after database robbery

Stalkerware slinger LetMeSpy will shut down for good this month after a miscreant breached its servers and stole a heap of data in June.

In a notice on its homepage, the Polish Android developer "would like kindly inform you that as of August 31, 2023, the letmespy.com website will cease operations."

According to the surveillance-ware maker, its security was comprehensively smashed on June 21 by persons unknown, who downloaded the entire contents of its website database before deleting that information. After that "data security incident," the developer said it had blocked access to user accounts, "for security reasons."

You may not feel that much sympathy for the users of this software – the people who download and install LetMeSpy on the phones of partners, children, or coworkers – in that their details were swiped by the intruder. Unfortunately that website database included records on those being snooped on, too, such as their messages, whereabouts, and call logs.

The app was marketed as being for completely legit purposes, such as child or employee monitoring, or for forgetful folks who want to easily locate their misplaced devices. Yes, those are real examples still listed on the developer's website as to why people should use LetMeSpy.

In reality, the app could be installed on an Android device, and depending on the OS version, hidden from view. It would then copy that device's text messages, call logs, location, and other info to the LetMeSpy website, allowing the user of the software to keep close tabs on that device. That would make it perfect for stalkers and abusive bosses and partners.

Then someone pwned LetMeSpy, grabbed all that data, and passed it around, shedding lots of light on the software and its maker.

• Miscreants leak texts and info siphoned by Android stalkerware app LetMeSpy
• Apple patches exploited bugs in iPhones plus other holes
• Liberté, Égalité, Spyware: France okays cops snooping on phones
• FBI boss: Congress must renew Section 702 spy powers – that's how we get nearly all our cyber intel

According to security researcher Maia Arson Crimew, who received a copy of the stolen files and performed a quick scan of the email address domains of its users, government workers, two Malaysian and one Jordanian, had signed up for the service, plus a Louisiana police officer, as well as an employee from a competing stalkerware company, and a ton of US college students.

"If you wish to access the data available within your user account, please contact us individually regarding this matter by September 30, 2023, at: ibd[at]radeal[dot]pl," the LetMeSpy notice stated. "After the expiration of retention period under the applicable law, the data stored in user accounts will be deleted."

To that we say: good riddance.

The shutdown comes as America, which itself has a very complicated relationship with surveillance-ware, added commercial spyware makers Intellexa and Cytrox to its Entity List, citing national security concerns. ®