A Minnesota-based spyware company has been hacked, exposing thousands of devices worldwide under its covert surveillance, TechCrunch has learned.
A source familiar with the breach provided TechCrunch with files from the company’s servers, detailing device activity logs from phones, tablets, and computers monitored by Spytech. Some files date back to early June. TechCrunch confirmed the authenticity of the data by analyzing logs, including those from the company's CEO, who installed the spyware on his own device.
The leaked data reveals that Spytech's software, including Realtime-Spy and SpyAgent, has compromised over 10,000 devices since 2013. These include Android devices, Chromebooks, Macs, and Windows PCs globally.
Spytech is the latest in a series of spyware makers hacked in recent years, being the fourth this year alone, according to TechCrunch.
When contacted, Spytech CEO Nathan Polencheck stated that TechCrunch's email was the first he had heard of the breach and that he was investigating the situation.
Spytech produces remote access applications, often labeled as "stalkerware," marketed for parental control but also advertised for spousal surveillance. Monitoring activities of children or employees is legal, but unauthorized monitoring of a device is illegal, leading to prosecutions for both spyware sellers and users.
Stalkerware apps are typically installed by someone with physical access to the device and can remain hidden and difficult to detect. These apps transmit keystrokes, browsing history, device activity, and, for Android devices, location data to a dashboard controlled by the installer.
The breached data seen by TechCrunch includes activity logs for all devices under Spytech's control, mostly Windows PCs, with fewer Android devices, Macs, and Chromebooks. The logs were not encrypted.
TechCrunch analyzed location data from compromised Android phones and mapped the coordinates offline to protect victims' privacy. The data indicates Spytech's spyware monitors devices primarily in Europe and the United States, with other clusters in Africa, Asia, Australia, and the Middle East.
One record linked to Polencheck's administrator account includes the geolocation of his residence in Red Wing, Minnesota.
While the data contains sensitive information from individuals unaware their devices are monitored, there isn't enough identifiable information for TechCrunch to notify victims of the breach. Spytech’s CEO did not comment on whether the company plans to notify its customers or authorities as required by law.
Spytech has operated since at least 1998, remaining largely unnoticed until 2009, when an Ohio man was convicted of using its spyware to infect a children's hospital's systems, targeting his ex-partner's email. The spyware collected sensitive health information, leading to the sender's guilty plea for illegal interception of communications.
Recently, Spytech is the second U.S.-based spyware company to experience a data breach. In May, Michigan-based pcTattletale was hacked, leading to its shutdown and deletion of victim data without notifying affected individuals. Data breach notification service Have I Been Pwned later listed 138,000 pcTattletale customers as having signed up for the service.