Unnamed stalkerware company has left gigabytes of sensitive personal info unprotected on the web and can’t be reached to fix it

Security researcher Cian Heasley discovered an unprotected online storage folder accessible via the web that contains all the data that stalkers and snoops took from their victims’ devices via a commercial program that steals photos and recordings from their devices.

Included in the leak are 3.7GB of MP3 recordings (25,000 in total) of personal phone calls and 16GB of images (95,000 in total), including very sensitive and personal images.

Both Heasley and Motherboard have repeatedly contacted the stalkerware company to alert them to the breach, but they have not received a response, despite multiple attempts. Out of an abundance of caution, Motherboard has not named the company while its customers’ victims’ date is exposed.

Stalkerware companies (previously) market their products to jealous spouses, employers, parents, and even law enforcement. As you might expect from companies engaged in such unethical conduct, these firms are notorious for their bad security, and frequently breach all their customers’ victims’ data. Motherboard has covered 12 different vendors’ breaches in just the past two years: “Retina-X (twice), FlexiSpy, Mobistealth, Spy Master Pro, SpyHuman, Spyfone, TheTruthSpy, Family Orbit, mSpy, Copy9, and Xnore.”

The exposed database was found by security researcher Cian Heasley, who contacted us when he found it earlier this year. The database is still online, and has been online for at least six weeks. Pictures and audio recordings are still being uploaded to it nearly every day. We won’t name the company to protect the victims who may be getting spied on without their consent or knowledge, and—on top of that—are having their pictures and calls uploaded to a server open to anyone with an internet connection.

We have spent weeks trying to ethically disclose this vulnerability to the company and to get the private images secured. We reached out to the company’s official contact email, displayed on its site. No answer. We reached out to the Gmail address of the site’s administrator, who also appears to be the company’s founder. No answer. We left a voicemail to a Google Voice number listed on the site’s WHOIS details. No answer.

This Spyware Data Leak Is So Bad We Can’t Even Tell You About It [Lorenzo Franceschi-Bicchierai/Motherboard]

(via Ben Watts, CC-BY)