Hacktivist Exposes Over 500,000 Stalkerware Customer Payment Records
In a significant breach of privacy, a hacktivist operating under the alias wikkid has successfully extracted over half a million payment records from a provider of consumer-grade stalkerware applications. This data leak has unveiled the email addresses and partial payment details of individuals who purchased software designed to covertly monitor others.
The compromised data encompasses transactions for various phone-tracking services, including Geofinder and uMobix, as well as applications like Peekviewer (formerly known as Glassagram), which claim to grant access to private Instagram accounts. These services are offered by Struktura, a Ukrainian company specializing in surveillance software.
Notably, the leaked information also contains transaction records from Xnspy, a well-known phone surveillance application that, in 2022, inadvertently exposed the private data of tens of thousands of unsuspecting individuals’ Android devices and iPhones.
This incident is the latest in a series of security lapses among surveillance vendors, highlighting a troubling trend. Over the past few years, numerous stalkerware applications have been hacked or have inadvertently exposed sensitive data due to inadequate cybersecurity measures. These breaches often compromise not only the privacy of the individuals being monitored but also the security of the customers who purchase these applications.
Stalkerware applications like uMobix and Xnspy, once installed on a target’s phone, clandestinely upload the victim’s private data—including call logs, text messages, photos, browsing history, and precise location information—to a server. This data is then accessible to the individual who installed the app, enabling continuous surveillance without the victim’s knowledge.
The data obtained by the hacktivist includes approximately 536,000 records containing customer email addresses, the specific application or service purchased, the amount paid, the type of payment card used (such as Visa or Mastercard), and the last four digits of the payment card. Notably, the records do not include the dates of the transactions.
To verify the authenticity of the leaked data, several transaction records associated with disposable email addresses were tested through the password reset portals of the respective surveillance applications. By resetting passwords for accounts linked to public email addresses, it was confirmed that these were legitimate accounts.
Further validation was achieved by matching each transaction’s unique invoice number from the leaked dataset with the surveillance vendor’s checkout pages. This process was facilitated by a vulnerability in the checkout page that allowed retrieval of customer and transaction data from the server without requiring authentication.
The hacktivist wikkid disclosed that the data was scraped from the stalkerware vendor due to a trivial bug in its website. They stated that they have fun targeting apps that are used to spy on people and subsequently published the scraped data on a known hacking forum.
This breach underscores the inherent risks associated with the use of stalkerware applications. Not only do these applications facilitate the invasion of individuals’ privacy, but they also pose significant security risks to the users who deploy them. The repeated exposure of sensitive data due to inadequate security measures by stalkerware vendors calls for stricter regulations and enforcement to protect individuals from unauthorized surveillance and data breaches.
