Stalkerware apps Cocospy and Spyic data breach exposes 2.65 million user accounts

Summary

Security researchers discovered a vulnerability in the stalkerware apps Cocospy and Spyic that allowed anyone to download personal data, including messages, photos, call logs and the email addresses of registered users. By exploiting the flaw, they scraped roughly 1.81 million Cocospy and 880,000 Spyic email addresses (about 2.65 million unique accounts) and shared the list with the Have I Been Pwned service. The apps route traffic through Cloudflare and store data on Amazon Web Services, and the breach is linked to the China‑based developer 711.icu; the operators have not responded to requests for comment and the bug remains unpatched.