SpyFone 2018 Data Breach

SpyFone Mobile Stalkerware Breach (2018): 44K Accounts Exposed :: Audio Recordings, SMS Messages & Photos of Monitored Targets Made Public | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Anonymous researcher (FTC enforcement followed)MisconfigurationSpywareActivity HistoryAudio RecordingDevice InformationEmail AddressFull NameGeographic LocationIMEI
Moderate SeverityWebsite / service breach

SpyFone Mobile Stalkerware Breach (2018): 44K Accounts Exposed :: Audio Recordings, SMS Messages & Photos of Monitored Targets Made Public

Mobile stalkerware platform capturing communications and device activity.

Verified by ObscureIQ Intelligence
54/100Breach Risk Index
40Data Value
10Market Recency
2803dSince Breach

Breach Intelligence Summary

Entity: SpyFone · Actor: Anonymous researcher (FTC enforcement followed) · Sources: 2 references
Attack: Misconfiguration
Profile: Spyware / Stalkerware · Covert device monitoring and surveillance · Mobile spyware platform · Global
Timeline: Breach (2018-08-16) · Indexed (Aug 24, 2018) · Year (2018)
Exposure: 44K records · 11 fields: Activity History, Audio Recording, Device Information, Email Address, Full Name, Geographic Location, IMEI, IP Address, Messages & Chat, Password, Profile Photo
Status: Confirmed

Executive Summary

SpyFone, a mobile stalkerware application operated by Puerto Rico-based Support King, LLC, suffered a data breach in August 2018 when a security researcher discovered that SpyFone had left several terabytes of data harvested from more than 3,600 monitored devices publicly accessible via a misconfigured Amazon Web Services S3 storage bucket. The exposed data was the surveillance content collected from devices on which SpyFone customers had installed the application. The same researcher discovered that SpyFone's backend services could be accessed without credentials and that arbitrary administrative accounts could be created against the customer database. The breach was indexed by Have I Been Pwned on August 24, 2018. The breach affected approximately 44,100 unique customer email addresses based on records indexed by Have I Been Pwned, and approximately 2,200 individuals whose personal information was accessed by the attacker according to the FTC's subsequent investigation. Compromised customer fields included email addresses, names, IP addresses, geographic locations, browsing histories, IMEI device identifiers, and passwords stored in plaintext. Critically, the breach also exposed the surveillance content captured from the monitored target devices including photos, audio recordings, text messages, browsing histories, and GPS location data covering thousands of individuals who were being secretly monitored without their knowledge. SpyFone publicly promised to investigate the breach with an outside data security firm and law enforcement, but the FTC's subsequent investigation concluded that SpyFone failed to follow through on those promises. For surveillance targets and customers alike, the practical risk profile is exceptionally severe and varies between the two populations. For surveillance targets (the people whose devices were being secretly monitored), the breach exposed live and historical device data that may have been collected without their knowledge or consent, with the U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware providing resources for individuals who suspect they may have been monitored. Affected device owners may have received an FTC-mandated notification from Support King under the 2021 consent order alerting them that their devices were monitored and may not be secure. For customers (the people who purchased SpyFone to surveil others), the breach exposed their identification as someone who purchased and used surveillance software, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target. Customers should change all reused passwords on other accounts because the plaintext password exposure means any account where the same password was reused is fully compromised. The U.S. Wiretap Act and the Computer Fraud and Abuse Act may apply to customers whose use of SpyFone constituted unauthorized surveillance of devices they did not own or were not authorized to monitor.

ObscureIQ assessment: Extremely sensitive. Exposure can reveal victims, operators, and surveillance patterns, enabling stalking, coercion, and serious privacy and safety harms.

Breach Impact

The institutional impact on Support King and CEO Scott Zuckerman has been substantial and effectively terminal. The September 1, 2021 FTC consent order permanently banned both the company and its CEO from offering, promoting, selling, or advertising any surveillance product or service anywhere in the United States. The 2025 FTC denial of the petition to vacate confirms the ongoing enforcement of the ban. Support King was required to delete all illegally collected data and to notify affected device owners that their devices may have been monitored. The case has been formally cited as the leading FTC stalkerware enforcement precedent and has been broadly cited in U.S. and international cybersecurity coverage as illustrating the regulatory framework available to address consumer-grade stalkerware operations. Civil litigation exposure for affected device owners remains available under U.S. wiretap and computer-fraud statutes including the Wiretap Act and the Computer Fraud and Abuse Act.

About SpyFone

SpyFone was a mobile stalkerware application operated by Support King, LLC, a Puerto Rico-based company under the leadership of CEO Scott Zuckerman. SpyFone was marketed as a tool for parental monitoring and employee surveillance, with prices starting at approximately $99.95 per year and an 'Extreme' subscription tier that included remote camera control, microphone activation, and call recording capabilities. The application required physical installation on Android target devices with security restriction bypass, and certain monitoring features (such as email monitoring) required the target device to be 'rooted.' SpyFone provided customers with explicit instructions on how to hide the application so that the device user remained unaware of the surveillance. As a stalkerware platform, SpyFone collected and stored extensive surveillance data from monitored devices including photos, audio recordings, text messages, browsing histories, GPS locations, IMEI device identifiers, and contacts.

Why They Hold Your Data

Mobile spyware platforms collect customer records, target-device identifiers, monitoring settings, and exfiltrated activity data tied to covert surveillance workflows.

Recent Developments

SpyFone is now defunct. Following the 2018 breach, the U.S. Federal Trade Commission brought an enforcement action against Support King, LLC and CEO Scott Zuckerman, resulting in a final consent order on September 1, 2021 that became the first FTC ban of a stalkerware company from the surveillance industry (after the agency's 2019 Retina-X enforcement action which banned the sale of three specific Retina-X applications without imposing a full surveillance-business ban). The FTC order required Support King and Zuckerman to delete all illegally collected data, notify affected device owners, and permanently exit the surveillance industry. In 2025, the FTC denied a petition to vacate or modify the 2021 order. The case has been formally cited in Coalition Against Stalkerware advocacy commentary and in subsequent FTC stalkerware enforcement actions as setting the precedent for full surveillance-industry bans rather than product-specific restrictions.

Data Points Exposed

11 verified field types
Activity History
Audio Recording High
Device Information
Email Address
Full Name High
Geographic Location
IMEI
IP Address
Messages & Chat High
Password Critical
Profile Photo

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Moderate
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Extortion & preference exploitation
  • Voiceprint cloning & AI-assisted fraud
  • Device fingerprinting & targeted exploitation
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Pattern-of-life analysis & physical surveillance
  • Device cloning & SIM swap facilitation
  • Geolocation & account flagging
  • SIM swap confirmation & relationship exploitation
  • Credential stuffing & account takeover
  • Deepfake & identity document fraud
  • Facial recognition & physical identification

Threat Actor: Anonymous researcher (FTC enforcement followed)

Anonymous researcher (FTC enforcement followed)
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the SpyFone breach?

SpyFone, a mobile stalkerware application operated by Puerto Rico-based Support King, LLC, suffered a data breach in August 2018 when a security researcher discovered that SpyFone had left several terabytes of data harvested from more than 3,600 monitored devices publicly accessible via a…

What data was exposed?

Verified fields include Activity History, Audio Recording, Device Information, Email Address, Full Name, Geographic Location, IMEI, IP Address, Messages & Chat, Password, Profile Photo.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation