The U.S.-made consumer-grade spyware app pcTattletale has been hacked, with its internal data published on its own website. The hacker responsible for the breach posted a message on pcTattletale’s website late Friday, claiming to have accessed the servers that house pcTattletale’s operations. The website briefly displayed links to files from its servers, which appeared to include data stolen from victims. The site is not being linked to here due to the ongoing risk to victims whose private data has been compromised.
pcTattletale’s founder Bryan Fleming did not respond to an email request for comment. It remains unclear if Fleming can receive emails due to the company’s ongoing outage.
The hacker did not specify their motivation for the breach. This incident follows a report by a security researcher who found and reported a vulnerability in the spyware app that leaked screenshots from the devices it was installed on. Researcher Eric Daigle did not publish specific details of the flaw because pcTattletale ignored his requests to fix the vulnerability.
The hacker who breached and defaced pcTattletale’s website did not exploit the vulnerability that Daigle identified. Instead, they said they tricked pcTattletale’s servers into revealing the private keys for its Amazon Web Services account, granting access to the spyware’s operations.
pcTattletale is a remote access app, often referred to as “stalkerware” due to its ability to track people without their knowledge or consent. It allows the person who installed the app to remotely view the target’s Android or Windows device and access its data from anywhere. The app operates invisibly in the background, making it difficult to detect and remove.
Earlier this week, it was revealed that pcTattletale had been used to compromise the front desk check-in systems at several Wyndham hotels across the United States, leaking screenshots of guest details and customer information. Wyndham has not confirmed whether it authorized or allowed its franchised hotels to use the spyware app on its systems.
This breach is the latest in a series of incidents where spyware makers have lost control of highly sensitive and personal data collected from targeted devices. Over the past few years, more than a dozen spyware and stalkerware companies have been hacked or otherwise leaked victims’ private data. This list includes companies like LetMeSpy, which shut down in June 2023 after its systems were hacked and backend data deleted, and TheTruthSpy, a phone spyware operation that was hacked again in February. Other affected spyware makers include KidsGuard, Xnspy, Support King, and Spyhide — and now, pcTattletale.
These incidents highlight the significant risks and ethical concerns surrounding the use and security of spyware and stalkerware applications.
