Stalkerware investigator Maia arson crime strikes again. Big.

We know Maia as a researcher who enjoys pursuing stalkerware vendors, which Malwarebytes – as a founding member of the Coalition Against Stalkerware – is more than happy to see.

This time, the target company is Tracki, a company that sells GPS trackers and doesn’t hesitate to explicitly market itself as a device for spying on a spouse or other family member. Tracki devices are sold by several major telecommunications companies, sometimes under the Tracki brand or sometimes under their own label.

Tracki’s parent company Trackimo (hey, we’re not the ones who came up with that name) co-owns a subsidiary called watchinU that offers a Nickelodeon-branded smartwatch for kids, the NickWatch, which is currently only available in the UK and Israel.

The investigation into Tracki not only revealed a tangle of companies, dubious websites and fake identities, but also led to a data breach that Maia says may affect nearly 12 million users.

While investigating the technology behind the tracker and the web portal for customers who want to see all their trackers on a map, Maia discovered several hardcoded usernames and passwords being used to load data from a number of management and support tools.

One of the tools, the Trackimo Troubleshooter, is designed to remotely debug all Tracki and Trackimo devices. It does this by showing technical support staff virtually all the details of any device by just entering a device identification number.

This “simple internal support tool” required no authentication other than logging in with a password shared between Tracki and Trackimo staff. All you need is a device ID that follows a standardized format, so it seems that with a bit of scripting it is possible to extract all the relevant data from any device.

Tracki support receives multiple subpoenas each week from local and federal law enforcement agencies around the world. Many are for stalking or harassment, but occasionally they are for other charges including domestic violence, attempted murder, and murder. In all of these cases, the victim was being tracked using a Tracki device. Maia says that Trackimo is not only aware of these use cases, but has actively helped customers set up non-consensual tracking of individuals through its support desk.

Of concern is that agencies and military programs in the US and other governments around the world are using Tracki devices, typically for asset, personnel and vehicle tracking.

Our conclusion from this research is that by choosing to use stalkerware of any kind, you are not the only one who could be tracking your target. We have shown time and time again that these companies are not as invested in keeping their data safe as you might expect or hope.

If you’re curious about the companies and the people behind them, read Maia’s blog. It’s got a lot of juicy details.

Malwarebytes has a free tool that lets you check how much of your personal information has been exposed online. Submit your email address (it’s best to enter the one you use most often) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report threats, we remove them too

Cybersecurity risks should never go beyond a headline. Keep threats off your devices by downloading Malwarebytes today.