A little-known Minnesota-based spyware maker has been hacked, TechCrunch has learned, exposing thousands of devices worldwide under its secret remote monitoring.
A person familiar with the breach provided TechCrunch with a cache of files taken from the company’s servers containing detailed logs of device activity from the phones, tablets and computers Spytech monitored, with some of the files dating back to early June.
TechCrunch confirmed the data as authentic in part by analyzing some of the exfiltrated device activity logs that relate to the company’s CEO installing the spyware on one of his own devices.
The data shows that Spytech’s spyware — Realtime-Spy and SpyAgent, among others — was used to compromise more than 10,000 devices since the earliest leaked records in 2013, including Android devices, Chromebooks, Macs and Windows computers worldwide.
Spytech is the latest spyware vendor in recent years to be compromised itself, and the fourth spyware vendor known to have been hacked this year alone, according to current TechCrunch statistics.
When reached for comment, Spytech CEO Nathan Polencek told TechCrunch that the email “was the first I’ve heard of the breach and I haven’t seen the data that you’ve seen, so right now all I can really say is , that I am investigating everything and will take appropriate action.”
Spytech is a maker of remote access apps, often called “stalkerware,” that are sold under the guise of allowing parents to monitor their children’s activities, but are also marketed to spy on the devices of spouses and domestic partners. Spytech’s website openly advertises its spousal monitoring products, promising to “monitor your spouse’s suspicious behavior.”
Although monitoring the activity of children or employees is not illegal, monitoring a device without the owner’s consent is illegal, and both spyware operators and spyware customers face prosecution for selling and using spyware.
Stalkerware apps are usually placed by someone with physical access to a person’s device, often with knowledge of their password. By nature, these apps can remain hidden from view and are difficult to detect and remove. Once installed, the spyware sends keystrokes and screen taps, web browsing history, device activity usage and, in the case of Android devices, detailed location data to a dashboard controlled by whoever installed the application.
The crunched data seen by TechCrunch contains logs of all devices under Spytech’s control, including records of each device’s activity. Most of the devices compromised by the spyware are Windows PCs and, to a lesser extent, Android devices, Macs, and Chromebooks.
The device activity logs we saw were not encrypted.
TechCrunch analyzed location data obtained from hundreds of compromised Android phones and plotted the coordinates in an offline mapping tool to preserve victims’ privacy. Location data gives some idea, though not complete, of where at least some of Spytech’s victims are.
Our analysis of mobile-only data shows that Spytech has significant clusters of devices observed in Europe and the United States, as well as localized devices in Africa, Asia, and Australia and the Middle East.
One of the records associated with Polencheck’s admin account includes the exact geolocation of his house in Red Wing, Minnesota.
While the data contains a wealth of sensitive data and personal information obtained from the devices of individuals — some of whom will have no idea their devices are being monitored — the data does not contain enough identifying information about each compromised device for TechCrunch to notify the victims of violation.
Asked by TechCrunch, Spytech’s CEO did not say whether the company plans to notify its customers, the people whose devices were monitored, or US government authorities, as required by data breach notification laws.
A spokesman for the Minnesota attorney general did not respond to a request for comment.
Spytech dates back to at least 1998. The company operated largely under the radar until 2009, when an Ohio man was convicted of using Spytech spyware to infect the computer systems of a nearby children’s hospital by targeting an email the account of his former partner who worked there.
Local news media reported at the time, and TechCrunch confirmed from court records, that the spyware infected the children’s hospital’s systems as soon as his former partner opened the attached spyware, which prosecutors say collected sensitive health information. The person who sent the spyware pleaded guilty to illegal interception of electronic communications.
Spytech is the second US-based spyware maker in recent months to suffer a data breach. In May, Michigan-based pcTattletale was hacked and its website defaced, and the company subsequently shut down and deleted its company data banks of victims’ devices instead of notifying affected individuals.
Data breach notification service Have I Been Pwned later obtained a copy of the breached data and identified 138,000 customers who had signed up for the service.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency, call 911 Coalition Against Stalkerware There are resources if you think your phone has been compromised by spyware.
