Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A hacker has collected more than half a million payment records from a provider of consumer “stalkerware” phone monitoring apps, exposing email addresses and partial payment information of customers who paid to spy on others.
The transactions contain records of payments to phone tracking services like Geofinder and uMobix, as well as services like Peekviewer (formerly Glasagram), which claims to allow access to private Instagram accounts, among many other monitoring and tracking apps offered by the same vendor, a Ukrainian company called Struktura.
Customer data too Includes transaction logs from Xnspya well-known phone monitoring application, which In 2022 private data leaked From tens of thousands of Android devices and iPhones of unsuspecting people.
This is the latest example of a surveillance vendor exposing its customers’ information due to security vulnerabilities. Over the past few years, Dozens of stalkerware applications Have been hacked, or managed to lose, leak or expose people’s private data – often the victims themselves – thanks to poor cybersecurity by stalkerware operators.
Contact us
To connect with Zack Whittaker securely, connect via the Signal username zackwhittaker.1337. Contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or Email.
Stalkerware apps like uMobix and Xnspy, once planted on someone’s phone, upload the victim’s private data, including call logs, text messages, photos, browsing history and precise location data, which is then shared with the person who planted the app.
Apps like UMobix and Xnspy have explicitly marketed their services for people to spy on their spouses and domestic partners. It is illegal.
The data, seen by TechCrunch, included about 536,000 lines of customers’ email addresses, the app or brand the customer paid for, the amount they paid, the type of payment card (such as Visa or Mastercard), and the last four digits on the card. Customer records did not include payment dates.
TechCrunch verified the authenticity of the data by taking several transaction logs containing disposable email addresses with public inboxes, such as Mailinator, and running them through various password reset gateways provided by various monitoring applications. By resetting passwords on accounts associated with public email addresses, we determined that these were real accounts.
We also verified the data by matching the unique invoice number for each transaction from the leaked dataset to the monitoring vendor’s checkout pages. We could do this because the checkout page allowed us to retrieve the same customer and transaction data from the server without needing a password.
The hacktivist, who uses the nickname “wikkid,” told TechCrunch that they pulled data from the stalkerware vendor thanks to a “trivial” bug on its website. The hacker activist said they “enjoy targeting apps used to spy on people” and then posted the stolen data on a well-known hacking forum.
The hacking forum listing lists the monitoring company as Ersten Group, which presents itself as a UK software development startup.
TechCrunch found several email addresses in the dataset used for testing and customer support that instead point to Struktura, a Ukrainian company with a similar website to Ersten Group. The oldest record in the dataset contains the email address of Struktura’s CEO, Victoria Zosim, for a $1 transaction.
Ersten Group representatives did not respond to our requests for comment. Struktura’s Zosim did not respond to a request for comment.