itstargetnews
A hacktivist obtained more than half a million payment records from a provider of consumer-grade “stalkerware” phone surveillance applications, revealing the email addresses and partial payment information of customers who paid to spy on others.
The transactions contain records of payments for phone tracking services such as Geofinder and uMobix, as well as services such as Peekviewer (formerly Glassagram), which is intended to allow access to private Instagram accounts, among many other monitoring and tracking apps provided by the same vendor, a Ukrainian company called Struktura.
Customer data too includes transaction records from Xnspya known phone surveillance app, which in 2022 private data is spilled from thousands of unsuspecting people’s Android devices and iPhones.
This is the latest example of a surveillance vendor exposing its customers’ information due to security flaws. In the last few years, dozens of stalkerware apps hacked, or managed to lose, break, or expose people’s private data – often the victims themselves – thanks to the poor cybersecurity of stalkerware operators.
Contact Us
To safely contact Zack Whittaker, contact via Signal username zackwhittaker.1337. Contact Lorenzo Franceschi-Bicchierai safely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email.
Stalkerware apps like uMobix and Xnspy, once planted on a person’s phone, upload the victim’s private data, including their call records, text messages, photos, browsing history, and precise location data, which is then shared with the person who planted the app.
Apps like uMobix and Xnspy clearly market their services for people to spy on their spouses and domestic partners, which is illegal.
The data, seen by TechCrunch, includes about 536,000 lines of customer email addresses, which app or brand the customer paid for, how much they paid, the type of payment card (such as Visa or Mastercard), and the last four digits of the card. Customer records do not include payment dates.
TechCrunch verified the data by taking a large number of transaction records with disposable email addresses with public inboxes, such as Mailinator, and running them through various password reset portals provided by various monitoring applications. By resetting the passwords of accounts associated with public email addresses, we found that these were real accounts.
We also verified the data by matching each transaction’s unique invoice number from the leaked dataset to the surveillance vendor’s checkout pages. We can do this because the checkout page allows us to retrieve both customer and transaction data from the server without requiring a password.
The hacktivist, who goes by the moniker “wikkid,” told TechCrunch that they scraped data from the stalkerware vendor thanks to a “trivial” bug on its website. The hacktivist said they “enjoyed targeting apps used to spy on people,” and later published the scraped data on a well-known hacking forum.
The hacking forum listing lists the surveillance vendor as Ersten Group, which presents itself as a UK-presenting software development startup.
TechCrunch found several email addresses in the dataset used for testing and customer support instead targeting Struktura, a Ukrainian company that has the same website as Ersten Group. The very first record in the dataset contains the email address for Struktura’s chief executive, Viktoriia Zosim, for a $1 transaction.
Representatives of Ersten Group did not respond to our requests for comment. Struktura’s Zosim did not return a request for comment.
