Multi-platform spyware provider Spytech gets hacked, revealing global scale of operations and swaths of unencrypted victim data

Per an exclusive report from TechCrunch, Minnesota-based spyware provider Spytech has been hacked, with files stolen from the company’s servers containing detailed device activity logs from a global pool of mostly Windows PCs but also some Macs, Chromebooks, and even Android devices. The total number of spyware victims impacted by Spytech and noted by TechCrunch analyzing the scale of the breach is “more than 10,000 devices since 2013,” and this cross-platform invasion of privacy stretches across the entire globe, including the US, EU, the Middle East, Africa, Asia, and Australia. 

Spytech provides a brand of spyware best known as “stalkerware” since it’s typically installed by a person with physical access to the victim’s device. Sometimes, it’s more “innocuous” in the form of an employer or parent installing the software on a device they own to surveil the activities of an employee or child, but this application has also been documented infecting users remotely through a remote email.

Fortunately, while the hackers’ payload did include lots of personal information and sensitive data, TechCrunch notes that it did not contain enough identifiable information to actually find the people impacted by the breach. This is a double-edged sword, though, since TechCrunch wanted to notify Spytech’s victims of the breach, and Spytech’s CEO refused to comment on plans to notify customers, the surveilled, or even state authorities on the breach. As noted by TechCrunch, Spytech will be in violation of data breach notification laws if this never happens.

Spytech and its software have existed since 1998, but the most notable story involving its use noted by TechCrunch was a 2009 incident in Northeast Ohio where a jilted ex-boyfriend used it to spy on his ex-girlfriend…by sending an email to her while she was working at Akron Children’s Hospital. The resulting spyware breach not only invaded her privacy but those of patients— children— as well, leading to prosecution for the illegal collection of sensitive health information and private communications.