- A security flaw in Cocospy and Spyic has exposed millions of personal data, including messages, photos, and call logs.
- The researcher who found the bug collected 2.65 million unique email addresses from the apps’ servers and shared them with Have I Been Pwned.
A major security vulnerability in the mobile monitoring apps Cocospy and Spyic has exposed the personal data of millions of users, according to a security researcher who discovered the flaw.
The bug allows unauthorized access to sensitive data—including messages, photos, and call logs—collected from devices compromised by these apps.
Additionally, the flaw exposes the email addresses of individuals who signed up for the apps to monitor others secretly.
Cocospy and Spyic, two differently branded stalkerware apps with a shared codebase, operate by stealthily collecting data from an infected device and transmitting it to a dashboard accessed by the person who installed the app.
Given their covert nature, many victims are likely unaware that their devices have been compromised.
The researcher who identified the bug was able to collect 1.81 million email addresses from Cocospy users and 880,167 from Spyic users, scraping the data directly from the apps’ servers.
These findings were provided to Troy Hunt, the creator of the data breach notification service Have I Been Pwned.
Hunt loaded a total of 2.65 million unique email addresses from the breach into his database, marking them as “sensitive.”
This means only affected individuals can check if their information was compromised.
Cocospy and Spyic join a growing list of surveillance products that have suffered security breaches in recent years. Since 2017, at least 23 known surveillance operations have been hacked or exposed, often due to weak security practices.
These incidents highlight ongoing concerns about the safety and ethical implications of phone-monitoring software.
Edited By Annette George
