A significant data breach involving Catwatchful, a spyware application marketed as parental control software, has exposed the personal information of 62,000 customer accounts and compromised surveillance data from 26,000 victim devices across multiple countries.
The leaked database contained records dating back to 2018, with most affected users located in India, Mexico, Colombia, Peru, Argentina, Ecuador, and Bolivia.
The breach affected users across seven countries over six years, with Latin American and South Asian populations bearing the heaviest impact.
The breach exposed highly sensitive personal information, including private messages, photos, and real-time location data from victim devices. The spyware permitted access to live ambient audio feeds and both front and rear camera streams from compromised phones.
All customer credentials were stored and leaked in plain text, creating additional security risks for affected users. With data breach costs averaging $4.35 million, such exposures pose significant financial risks to organizations.
Catwatchful functions as stalkerware, requiring manual installation with physical access to target devices. Once installed, the application runs in stealth mode, remaining hidden from device users as it continuously uploads private data to a remote dashboard.
The software is typically distributed outside official app stores, requiring users to sideload the application onto target devices.
The security breach resulted from a misconfigured, unauthenticated API that left the entire database publicly accessible. Security researcher Eric Daigle discovered the vulnerable system that exposed thousands of users’ private data.
Technical vulnerabilities included SQL injection flaws and complete lack of authentication protocols. The exposed Firebase database revealed developer information, including the identity of Omar Soca Charcov from Uruguay, whose poor operational security practices linked administrative accounts to the global spyware operation.
Google responded to the incident by adding Catwatchful to Play Protect, issuing warnings to users about the spyware’s presence on their devices. The company is conducting ongoing reviews to determine potential policy violations.
Web hosting providers disabled the offending accounts after the exposure, though the database was afterward moved to alternative hosting services.
The breach highlights significant concerns about applications marketed as legitimate parental control tools being used for illicit surveillance purposes. These surveillance technologies often generate distrust in family relationships, undermining the very bonds they claim to protect.
Security experts highlight the vulnerability of devices lacking strong app distribution controls and the dangers posed by stalkerware operations that employ weak security practices.
The incident accentuates the need for stronger regulatory protections against unauthorized surveillance software.
