Massive Data Exposure
A significant security incident has come to light, where a hacktivist successfully accessed and exfiltrated payment records belonging to more than 500,000
customers of a company specializing in consumer-grade "stalkerware." This breach has resulted in the public availability of customer email addresses and partial payment card details. The compromised transactions are linked to various phone surveillance and tracking applications, including services like Geofinder and uMobix, as well as apps designed to access private social media accounts such as Peekviewer. These services are provided by a Ukrainian entity known as Struktura, which also operates under the guise of a UK-based software development startup named Ersten Group. The data includes customer information for well-known surveillance apps like Xnspy, which itself faced a data leak in 2022, exposing personal data from numerous Android and iPhone users. This latest incident underscores a recurring pattern of security failures among surveillance software providers, often due to inadequate cybersecurity practices, leading to the exposure of sensitive customer data.
Stalkerware Functionality
Stalkerware applications, such as uMobix and Xnspy, are designed to be covertly installed on a target's mobile device. Once active, they meticulously collect and transmit a wealth of the victim's private information directly to the individual who planted the software. This invasive data can include detailed call logs, all text messages exchanged, a collection of photos and videos stored on the device, browsing history, and precise real-time location data. This capability allows the user of the stalkerware to monitor nearly every aspect of the victim's digital life and movements without their knowledge or consent. Notably, some of these applications explicitly market their services for monitoring spouses or domestic partners, activities that are illegal and carry serious legal ramifications.
Breach Details & Verification
The leaked dataset, obtained by TechCrunch, comprises approximately 536,000 records detailing customer email addresses, the specific app or brand purchased, the amount paid, the type of payment card used (e.g., Visa, Mastercard), and the last four digits of the card number. Crucially, the records do not contain payment dates. TechCrunch conducted thorough verification of the data's authenticity. This process involved identifying transaction records associated with disposable email addresses, such as those from Mailinator, and attempting to reset passwords on the corresponding surveillance app accounts. Successful password resets confirmed the validity of these accounts. Further verification was achieved by matching unique invoice numbers from the leaked data with the vendor's checkout pages, which allowed retrieval of customer and transaction details without requiring credentials.
Hacktivist's Motivation
The hacktivist responsible for this extensive data scrape, operating under the alias "wikkid," informed TechCrunch that the breach was facilitated by a "trivial" security flaw present on the vendor's website. Wikkid expressed a personal motivation for targeting applications used for spying on individuals, stating they "have fun targeting apps that are used to spy on people." Following the successful data extraction, the hacktivist disseminated the scraped information on a well-known hacking forum. The forum listing identified the vendor as Ersten Group, a company that presents itself as a software development startup based in the UK. However, TechCrunch's investigation revealed that email addresses within the dataset, used for testing and customer support, pointed to Struktura, a Ukrainian company with an identical website to Ersten Group. The earliest record in the compromised data was for Struktura's CEO, Viktoriia Zosim, for a transaction amounting to just $1.
