Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.Stalkerware, a malicious software, has been known to enable individuals to clandestinely monitor the activities of their romantic partners, family members, or associates. This is achieved by infecting the target’s phone and surreptitiously gathering their text messages, photos, location information, and other data. The software is deeply invasive, but the concerns raised by digital rights advocates extend beyond the violation of personal privacy. They warn of the additional risk that data collected through spyware could be compromised by an unrelated third party, leading to a catastrophic privacy breach. Recent research has brought to light a chilling example of this worst-case scenario.
In a report released on Thursday, a security researcher unveiled the discovery of a cloud repository that was alarmingly accessible to anyone on the open internet, devoid of any access controls. This repository held close to 90,000 screenshots, revealing the private messages, photos, and phone usage of a European celebrity. The evidence suggests that these were compiled using stalkerware.
Jeremiah Fowler, a researcher with Black Hills Information Security, who stumbled upon the exposed data, shared his findings with WIRED. “All the selfies were one person, all the chats were one person, and it was basically everyone they chatted with divided into Instagram, Facebook, TikTok, and WhatsApp,” he said. The repository contained explicit images and photos that were clearly intended to remain private.
Fowler’s analysis of the 86,859 images revealed that they captured the celebrity’s private conversations with models, influencers, and other high-profile individuals, some of whom boast millions of followers on their social media accounts. The screenshots also exposed business conversations, invoices, personal payment details, phone numbers, partial credit card numbers, and a wealth of sensitive information.
“The initial victim is captured, but everyone they communicate with is also victimized,” Fowler pointed out. He has chosen not to disclose the identity of the apparent victim or their associates and has reported the incident to local law enforcement. “Even though this is a very public person, even public people deserve privacy,” Fowler added.
Exposed cloud repositories have been a persistent issue in the realm of privacy and digital security. However, these open data troves usually belong to companies that inadvertently leave access open due to misconfigurations or oversights, thereby exposing corporate secrets or customer information. In this instance, the exposed data seemed to be owned by an individual. Fowler attempted to contact the apparent victim based on the material in the dataset but ultimately notified the cloud service hosting the data. The company then reached out to the owner to secure the data. Fowler has chosen not to publicly name the host.
The exposed files bear all the hallmarks of data collected using spyware—screenshots of particularly sensitive and intimate digital activity taken over a specific period. Fowler, who regularly investigates exposed datasets, was drawn to this trove because of its unique characteristics.
This incident serves as a stark reminder of the dangers of stalkerware and the potential for catastrophic privacy breaches. It underscores the need for robust digital security measures and the importance of respecting personal privacy, even in the digital realm. As technology continues to evolve, so too must our understanding and handling of the risks it presents.