Android-based phone monitoring app LetMeSpy has disclosed a security breach that allowed an unauthorized third-party to steal sensitive data associated with thousands of Android users.

“As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts,” LetMeSpy said in an announcement on its website, noting the incident took place on June 21, 2023.

Following the discovery of the hack, LetMeSpy said it notified law enforcement and data protection authorities. It’s also taking steps to suspend all account-related functions until further notice. The identity of the threat actor and their motives are currently unknown.

The work of a Polish company named Radeal, LetMeSpy is offered as a monthly subscription ($6 for Standard or $12 for Pro), allowing its customers to snoop on others simply by installing the software on their devices. An Internet Archive snapshot from December 2013 shows that it’s billed as a tool for parental or employee control.

LetMeSpy comes with a wide range of features to collect call logs, SMS messages, and geolocations, all of which can be accessed from the website. In an attempt to evade detection and removal, the app’s icon can be hidden from the device’s home screen launcher.

As of January 2023, the stalkerware app has been used to track 236,322 phones across the world, harvesting over 63.5 million text messages, 39.7 million call logs, and 43.2 million locations.

Polish security research blog Niebezpiecznik, which first reported the breach and analyzed a dump of the stolen data, said it includes about 26,000 email addresses, 16,000 SMS messages, and a database of victims’ locations.

A further review of the leaked information by TechCrunch has revealed that the data goes all the way back to 2013, when LetMeSpy became operational. The records also contain data from at least 13,000 compromised devices. A majority of the victims are located in the U.S., India, and parts of Africa.