Spyic, a mobile stalkerware application sharing source code with sibling applications Cocospy and Spyzie, suffered a data breach disclosed publicly on February 20, 2025 by TechCrunch. The breach was enabled by a security vulnerability shared across all three sibling applications that allowed any party to access the personal data exfiltrated from any device with the applications installed and to retrieve the email addresses of customers who had signed up to plant the spyware. The vulnerability was so trivial to exploit that TechCrunch and the involved security researcher declined to publish details to prevent further exploitation. The researcher used the vulnerability to scrape email addresses from all three sibling applications and provided the dataset to Have I Been Pwned, which indexed Spyic on February 20, 2025.

The breach affected approximately 876,000 unique Spyic customer email addresses based on records indexed by Have I Been Pwned (with a deduplicated combined Cocospy and Spyic count of 2.65 million unique addresses). Compromised customer fields were limited to email addresses for purposes of HIBP indexing, but the underlying vulnerability also enabled unauthorized access to captured surveillance data including messages, photos, call logs, and real-time location data from monitored devices. Combined with the sibling Cocospy and Spyzie disclosures, the trio breach exposed approximately 3.2 million customer email addresses across all three platforms.

For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being monitored), the breach exposed live and historical device data captured by the spyware, with the U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware providing resources for individuals who suspect they may have been monitored. Android users can detect Spyic installations by entering ✱✱001✱✱ on the Android phone dialer and pressing call, which exploits a built-in backdoor feature to reveal the otherwise-hidden application (which appears as a generic-looking 'System Service' app); victims should establish a safety plan before removal because disabling the application may alert the person who installed it. For iPhone and iPad users, Spyic worked by exploiting the victim's Apple Account credentials to access iCloud-stored device backups, and victims should ensure two-factor authentication on their Apple Account and review and remove unrecognized devices from their account. For customers, inclusion in the dataset confirms participation in a stalkerware operation that has now ceased operation, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target.

Spyware platforms collect customer identity, billing records, target-device identifiers, monitoring settings, and exfiltrated mobile activity tied to covert surveillance.

Spyic was taken offline in approximately May 2025 along with sibling stalkerware applications Cocospy and Spyzie following the February 2025 breach disclosure. The Spyic website disappeared, the application stopped functioning, and the operators' Amazon Web Services cloud storage was deleted. TechCrunch reported that the shutdown likely reflects an attempt to escape legal and reputational fallout rather than a genuine remediation. Spyic operators did not respond to TechCrunch requests for comment and have not publicly acknowledged the breach or shutdown. The case has been counted by TechCrunch as among the 25 known stalkerware operations breached since 2017, alongside Cocospy and Spyzie from the same operator chain.