Despite operating a hybrid architecture using Google’s Firebase platform for storing stolen victim data, Catwatchful maintained a separate MySQL database containing user credentials that lacked basic security protections. A major security vulnerability in the Android spyware operation Catwatchful has exposed the complete database of over 62,000 customer accounts, including plaintext passwords and email addresses, according to a security researcher who discovered the breach in June 2025. User registration triggered account creation in both Google Firebase and a custom database hosted on catwatchful.pink. While Firebase provided robust security for storing victim data, the custom server handling user authentication was completely vulnerable. This breach highlights the inherent risks associated with stalkerware operations, illustrating that these illicit surveillance tools pose a threat to both perpetrators and victims due to inadequate security practices and insufficient data protection measures. Canadian cybersecurity researcher Eric Daigle uncovered the vulnerability through a SQL injection attack that allowed him to extract the entire user database from the stalkerware service. Security experts note that Android users can detect Catwatchful by dialing “543210” on their device, which triggers a built-in backdoor revealing the hidden application. Google added Catwatchful to its Play Protect detection system, but has not yet disabled the Firebase instance storing victim data. This incident represents the fifth major stalkerware breach in 2025 alone, highlighting systemic security failures across the surveillance software industry. The leaked database revealed that Catwatchful had been operating since at least 2018, with victims primarily located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 03 Jul 2025 13:15:14 +0000