Catwatchful, an Android stalkerware application administered by Uruguay-based developer Omar Soca Charcov, suffered a data breach that was disclosed publicly on July 2-3, 2025 by Canadian security researcher Eric Daigle. The breach was enabled by a SQL injection vulnerability in an unauthenticated PHP API endpoint (servicios.php) on the catwatchful.pink backend domain that handled communication between the planted Android applications and the Catwatchful command servers. Daigle exploited the vulnerability using the standard SQL injection automation tool sqlmap and confirmed that a non-blind UNION-based injection technique could be used to extract the entire customer database. The breach was subsequently provided to Have I Been Pwned, which indexed it on July 3, 2025, and reported by TechCrunch on July 2, 2025.

The breach affected approximately 62,050 customer accounts and approximately 26,000 victims whose phone data was being captured by Catwatchful at the time of the breach, with some surveillance data dating back to 2018. Compromised fields for the customer population included email addresses and passwords stored in plaintext. The plaintext password storage represents a critical security failure that exposes the original credential values directly. The exposed customer data also revealed Catwatchful's administrator identity (Omar Soca Charcov, who appeared as the first entry in the database, consistent with the developer testing the application against personal devices). Affected victim devices were concentrated in Latin America (Mexico, Colombia, Peru, Argentina, Ecuador, and Bolivia) and India. Captured victim data including photos and audio recordings was hosted on Google Firebase infrastructure and was accessible to anyone holding a customer account credential.

For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being secretly monitored), the breach exposed live and historical device data including photos, messages, call logs, real-time location, and ambient microphone audio that may have been collected without their knowledge or consent. Many targets are likely domestic-violence victims and individuals whose partners, family members, or employers installed the software covertly. The U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware provide resources for individuals who suspect they may have been monitored. Android users can detect Catwatchful by entering 543210 on the Android phone dialer and pressing call, which exploits a built-in backdoor feature to reveal the otherwise-hidden application; victims should establish a safety plan before removal because disabling the application may alert the person who installed it. For customers (the people who installed the spyware), the breach exposed their identification as someone who purchased and used surveillance software, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target. Customers should change all reused passwords on other accounts because the plaintext password exposure means any account where the same password was reused is fully compromised.

Stalkerware platforms collect customer records, target-device identifiers, monitoring configurations, and exfiltrated device data tied to covert surveillance workflows.

Catwatchful's hosting was terminated by Hosting.com on June 25, 2025 after TechCrunch security editor Zack Whittaker contacted the host with details of the breach. The service was briefly restored under the alternate domain xng.vju.temporary.site before migrating to HostGator infrastructure, and the operator subsequently added a web application firewall to mitigate further SQL injection attempts. Google added Catwatchful detection to its Google Play Protect service following the disclosure, alerting Android users who attempt to install the application. The Coalition Against Stalkerware and Malwarebytes have been actively involved in publishing user guidance for affected victims and in advocacy commentary about the case. Despite hosting changes and Play Protect detection, the platform continued to operate at the time of the original July 2025 reporting, with victim data still hosted on Google Firebase infrastructure.