Catwatchful 2025 Data Breach
ObscureIQ Breach Intelligence
High SeverityWebsite / service breach
Catwatchful Android Stalkerware Breach (2025): 62K Operator Accounts Including Plaintext Passwords Exposed via SQL Injection
Android stalkerware platform used for covert device monitoring and surveillance.
Verified by ObscureIQ Intelligence
87/100Breach Risk Index
40Data Value
40Market Recency
298dSince Breach
Breach Intelligence Summary
Entity: Catwatchful · Actor: n/a (researcher disclosure - Eric Daigle via SQL injection) · Sources: 2 references
Attack: Misconfiguration
Profile: Spyware / Stalkerware · Covert device monitoring and surveillance · Android stalkerware platform · Global
Timeline: Breach (2025-06-09) · Indexed (Jul 03, 2025) · Year (2025)
Exposure: 62K records · 2 fields: Email Address, Password
Status: Confirmed
Executive Summary
Catwatchful, an Android stalkerware application administered by Uruguay-based developer Omar Soca Charcov, suffered a data breach that was disclosed publicly on July 2-3, 2025 by Canadian security researcher Eric Daigle. The breach was enabled by a SQL injection vulnerability in an unauthenticated PHP API endpoint (servicios.php) on the catwatchful.pink backend domain that handled communication between the planted Android applications and the Catwatchful command servers. Daigle exploited the vulnerability using the standard SQL injection automation tool sqlmap and confirmed that a non-blind UNION-based injection technique could be used to extract the entire customer database. The breach was subsequently provided to Have I Been Pwned, which indexed it on July 3, 2025, and reported by TechCrunch on July 2, 2025. The breach affected approximately 62,050 customer accounts and approximately 26,000 victims whose phone data was being captured by Catwatchful at the time of the breach, with some surveillance data dating back to 2018. Compromised fields for the customer population included email addresses and passwords stored in plaintext. The plaintext password storage represents a critical security failure that exposes the original credential values directly. The exposed customer data also revealed Catwatchful's administrator identity (Omar Soca Charcov, who appeared as the first entry in the database, consistent with the developer testing the application against personal devices). Affected victim devices were concentrated in Latin America (Mexico, Colombia, Peru, Argentina, Ecuador, and Bolivia) and India. Captured victim data including photos and audio recordings was hosted on Google Firebase infrastructure and was accessible to anyone holding a customer account credential. For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being secretly monitored), the breach exposed live and historical device data including photos, messages, call logs, real-time location, and ambient microphone audio that may have been collected without their knowledge or consent. Many targets are likely domestic-violence victims and individuals whose partners, family members, or employers installed the software covertly. The U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware provide resources for individuals who suspect they may have been monitored. Android users can detect Catwatchful by entering 543210 on the Android phone dialer and pressing call, which exploits a built-in backdoor feature to reveal the otherwise-hidden application; victims should establish a safety plan before removal because disabling the application may alert the person who installed it. For customers (the people who installed the spyware), the breach exposed their identification as someone who purchased and used surveillance software, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target. Customers should change all reused passwords on other accounts because the plaintext password exposure means any account where the same password was reused is fully compromised.
ObscureIQ assessment: Extremely sensitive. Exposure can reveal both operators and victims of covert monitoring, enabling extortion, stalking, domestic abuse escalation, and severe privacy harm.
Breach Impact
The institutional impact on Catwatchful has been significant given the public identification of its administrator, hosting termination, and Google Play Protect detection. The case has been formally cited by TechCrunch as the fifth major stalkerware compromise of 2025, alongside the Cocospy/Spyic/Spyzie sibling chain and SpyX. The administrator's identification is particularly consequential because Catwatchful's continued operation in violation of consent and surveillance laws across multiple jurisdictions creates direct legal exposure for the named individual. The case has been broadly cited in U.S. and international cybersecurity coverage as illustrating the persistent pattern of consumer-grade spyware operations being compromised through trivially exploitable vulnerabilities including SQL injection in unauthenticated API endpoints.
About Catwatchful
Catwatchful was an Android-based stalkerware application marketed as undetectable parental and child-monitoring software, but designed to facilitate covert surveillance of any Android device. Operated under the catwatchful.com brand and the catwatchful.pink backend domain, Catwatchful was administered by Omar Soca Charcov, a Uruguay-based developer whose identity was revealed through the breach itself. The application was distributed outside official app stores (because stalkerware is prohibited by Google Play and Apple App Store policies) and required physical installation on a target Android device, after which it operated invisibly to upload screenshots, photographs, text messages, call logs, real-time location, and ambient microphone audio to a dashboard accessible by the customer who installed the application. As a stalkerware platform, Catwatchful maintained two distinct populations of data: customer accounts (the people who installed the spyware on someone else's device) and exfiltrated device data (the surveillance content captured from the monitored devices).
Why They Hold Your Data
Stalkerware platforms collect customer records, target-device identifiers, monitoring configurations, and exfiltrated device data tied to covert surveillance workflows.
Recent Developments
Catwatchful's hosting was terminated by Hosting.com on June 25, 2025 after TechCrunch security editor Zack Whittaker contacted the host with details of the breach. The service was briefly restored under the alternate domain xng.vju.temporary.site before migrating to HostGator infrastructure, and the operator subsequently added a web application firewall to mitigate further SQL injection attempts. Google added Catwatchful detection to its Google Play Protect service following the disclosure, alerting Android users who attempt to install the application. The Coalition Against Stalkerware and Malwarebytes have been actively involved in publishing user guidance for affected victims and in advocacy commentary about the case. Despite hosting changes and Play Protect detection, the platform continued to operate at the time of the original July 2025 reporting, with victim data still hosted on Google Firebase infrastructure.
Data Points Exposed
2 verified field types
Email Address
Password Critical
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:Moderate
Primary downstream threats:
- Credential stuffing against reused passwords across other platforms
- Targeted phishing campaigns using exposed email addresses
Threat vectors:
- Phishing, credential stuffing & account takeover
- Credential stuffing & account takeover
Threat Actor: n/a (researcher disclosure - Eric Daigle via SQL injection)
n/a (researcher disclosure - Eric Daigle via SQL injection)
Misconfiguration
Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.
Recommended Actions
If you believe your information may be included:
Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Catwatchful breach?▾
Catwatchful, an Android stalkerware application administered by Uruguay-based developer Omar Soca Charcov, suffered a data breach that was disclosed publicly on July 2-3, 2025 by Canadian security researcher Eric Daigle. The breach was enabled by a SQL injection vulnerability in an unauthenticated…
What data was exposed?▾
Verified fields include Email Address, Password.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation