The spyware operation's exposed customer email addresses and passwords were shared with data breach notification service Have I Been Pwned.
A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator.
The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app’s full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims.
Catwatchful is spyware masquerading as a child monitoring app that claims to be “invisible and cannot be detected,” all the while uploading the victim’s phone’s private contents to a dashboard viewable by the person who planted the app. The stolen data includes the victims’ photos, messages, and real-time location data. The app can also remotely tap into the live ambient audio from the phone’s microphone and access both front and rear phone cameras.
Spyware apps like Catwatchful are banned from the app stores and rely on being downloaded and planted by someone with physical access to a person’s phone. As such, these apps are commonly referred to as “stalkerware” (or spouseware) for their propensity to facilitate non-consensual surveillance of spouses and romantic partners, which is illegal.
Catwatchful is the latest example in a growing list of stalkerware operations that have been hacked, breached, or otherwise exposed the data they obtain, and is at least the fifth spyware operation this year to have experienced a data spill. The incident shows that consumer-grade spyware continues to proliferate, despite being prone to shoddy coding and security failings that expose both paying customers and unsuspecting victims to data breaches.
According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims’ devices.
Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows.
The Catwatchful database also revealed the identity of the spyware operation’s administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers.
Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.
The ICO said over 150,000 U.K. residents had data stolen in the breach.
The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach.
The Information Commissioner’s Office (ICO) said on Tuesday it has fined the genetic testing company as it “did not have additional verification steps for users to access and download their raw genetic data” at the time of its cyberattack.
In 2023, hackers stole private data on more than 6.9 million users over a months-long campaign by accessing thousands of accounts using stolen credentials. 23andMe did not require its users to use multi-factor authentication, which the ICO said broke U.K. data protection law.
The ICO said over 155,000 U.K. residents had their data stolen in the breach.
In response to the fine, 23andMe told TechCrunch that it had rolled out mandatory multi-factor authentication for all accounts.
The ICO said it is in contact with 23andMe’s trustee following the company’s filing for bankruptcy protection. A hearing on 23andMe’s sale is expected later on Wednesday.
The government cited the recent hacks on Bank Sepah and cryptocurrency exchange Nobite as reasons to shut down internet access to virtually all Iranians.
Earlier this week, virtually everyone in Iran lost access to the internet in what was called a “near-total national internet blackout.”
At the time, it was unclear what happened or who was responsible for the shutdown, which has severely limited Iranians’ means to get information about the ongoing war with Israel, as well as their ability to communicate with loved ones inside and outside of the country.
Now Iran’s government has confirmed that it ordered the shutdown to protect against Israeli cyberattacks.
“We have previously stated that if necessary, we will certainly switch to a national internet and restrict global internet access. Security is our main concern, and we are witnessing cyberattacks on the country’s critical infrastructure and disruptions in the functioning of banks,” Fatemeh Mohajerani, Iran’s government spokesperson, was quoted as saying in a local news story. “Many of the enemy’s drones are managed and controlled via the internet, and a large amount of information is exchanged this way. A cryptocurrency exchange was also hacked, and considering all these issues, we have decided to impose internet restrictions.”
The pro-Israeli hacktivist group Predatory Sparrow claimed on Tuesday to have hacked and taken down Iran’s Bank Sepah.
The group, which is also known by its Persian name Gonjeshke Darande, claimed responsibility for the hack on X.
“We, ‘Gonjeshke Darande,’ conducted cyberattacks which destroyed the data of the Islamic Revolutionary Guard Corps’ ‘Bank Sepah,’” the group wrote.
The group claimed Bank Sepah is an institution that “circumvented international sanctions and used the people of Iran’s money to finance the regime’s terrorist proxies, its ballistic missile program and its military nuclear program.”
According to the independent news site Iran International, there are reports of “widespread banking disruptions” across the country. Iran International said several Bank Sepah branches were closed on Tuesday, and customers told the publication that they were unable to access their accounts.
Ariel Oseran, a correspondent for i24NEWS, posted pictures of ATMs in Iran displaying an error message.
TechCrunch could not independently verify the group’s alleged cyberattack. We reached out to two Bank Sepah Iranian email addresses, but the messages returned an error. Bank Sepah’s affiliates in the U.K. and Italy did not immediately respond to requests for comment.
Predatory Sparrow did not respond to a request for comment sent to their X account, and via Telegram.
The alleged cyberattack on Bank Sepah comes as Israel and Iran are bombing each other’s countries, a conflict that started after Israel began targeting nuclear energy facilities, military bases, and senior Iranian military officials on Friday.
It’s unclear who is behind Predatory Sparrow. The group clearly fashions itself as a pro-Israel or at least anti-Iran hacktivist group and has targeted companies and organizations in Iran for years. Cybersecurity researchers believe the group has had success in the past and made credible claims.
Researchers revealed on Thursday that two European journalists had their iPhones hacked with spyware made by Paragon. Apple says it has fixed the bug that was used to hack their phones.
The Citizen Lab wrote in its report, shared with TechCrunch ahead of its publication, that Apple had told its researchers that the flaw exploited in the attacks had been “mitigated in iOS 18.3.1,” a software update for iPhones released on February 10.
Until this week, the advisory of that security update mentioned only one unrelated flaw, which allowed attackers to disable an iPhone security mechanism that makes it harder to unlock phones.
On Thursday, however, Apple updated its February 10 advisory to include details about a new flaw, which was also fixed at the time but not publicized.
“A logic issue existed when processing a maliciously crafted photo or video shared via an iCloud Link. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” reads the now-updated advisory.
In the final version of its report published Thursday, The Citizen Lab confirmed this is the flaw used against Italian journalist Ciro Pellegrino and an unnamed “prominent” European journalist
It’s unclear why Apple did not disclose the existence of this patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.
The Paragon spyware scandal began in January, when WhatsApp notified around 90 of its users, including journalists and human rights activists, that they had been targeted with spyware made by Paragon, dubbed Graphite.
Then, at the end of April, several iPhone users received a notification from Apple alerting them that they had been the targets of mercenary spyware. The alert did not mention the spyware company behind the hacking campaign.
On Thursday, The Citizen Lab published its findings confirming that two journalists who had received that Apple notification were hacked with Paragon’s spyware.
It’s unclear if all the Apple users who received the notification were also targeted with Graphite. The Apple alert said that “today’s notification is being sent to affected users in 100 countries.”
The compliance company said the customer data exposure was caused by a product change.
ompliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion.
Vanta, which helps corporate customers automate their security and compliance processes, said it identified an issue on May 26 and that remediation will complete June 4.
The incident resulted in “a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers,” according to the statement attributed to Vanta’s chief product officer Jeremy Epling.
Epling said fewer than 4% of Vanta customers were affected, and have all been notified. Vanta has more than 10,000 customers, according to its website, suggesting the data exposure likely affects hundreds of Vanta customers.
One customer affected by the incident told TechCrunch that Vanta had notified them of the data exposure. The customer said Vanta told them that “employee account data was erroneously pulled into your Vanta instance, as well as out of your Vanta instance into other customers’ instances.”
Victoria’s Secret hit by outages as it battles security incident
Fashion retail giant Victoria’s Secret said it is addressing a “security incident,” as its website and online orders face ongoing disruption.
Victoria’s Secret posted the brief statement on its website Wednesday. The company’s outages began earlier on Monday, as users have reported not being able to access the Victoria’s Secret website.
“We immediately enacted our response protocols, third-party experts are engaged, and we took down our website and some in store services as a precaution,” a spokesperson for Victoria’s Secret said in response to TechCrunch’s inquiries. The spokesperson did not provide their name nor describe the nature of the cybersecurity incident.
“We are working to quickly and securely restore operations,” the spokesperson said. The company said its stores remain open.
Victoria’s Secret closed down 7% on the news of the security incident.
US man who hacked SEC’s X account to spike Bitcoin price sentenced to prison
Eric Council Jr., 26, was sentenced to 14 months in prison and three years of supervised release on Friday for participating in the hack of the official X account of the U.S. Securities and Exchange Commission.
The U.S. Department of Justice announced the sentencing in a press release. Council and other hackers took over the SEC’s X account in 2024 to falsely announce that the agency had approved Bitcoin exchange traded funds, or ETFs, which shot up the price of the cryptocurrency before later dropping.
According to the DOJ, Council and his co-conspirators performed a SIM swap attack against the cellphone account of a person who had access to the SEC’s X account, which allowed the hackers to take control of their phone number. From there, the hackers reset the password of the SEC’s X account, granting them control of the account.
U.K. retail giant Marks & Spencer has confirmed hackers stole its customers’ personal information during a cyberattack last month.
In a brief statement with London’s stock exchange on Tuesday, the retailer said an unspecified amount of customer information was taken in the data breach. The BBC, which first reported the company’s filing, cited a Marks & Spencer online letter as saying that the stolen data includes customer names, dates of birth, home and email addresses, phone numbers, household information and online order histories.
The company also said it was resetting the online account passwords of its customers.
Marks & Spencer continues to experience disruption and outages across its stores, with some grocery shelves remaining empty after the hack affected the company’s operations. The company’s online ordering system for customers also remains offline.
It’s not clear how many individuals’ data was stolen during the hack. When reached by TechCrunch, Marks & Spencer spokesperson Alicia Sanctuary would not say how many individuals are affected and referred TechCrunch to its online statement. Marks & Spencer had 9.4 million online customers as of 30 March 2024, per its most recent annual report.
Spyware maker NSO Group will have to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign against more than 1,400 users.
On Tuesday, after a five-year legal battle, a jury ruled that NSO Group must pay $167,254,000 in punitive damages and around $444,719 in compensatory damages.
This is a huge legal win for WhatsApp, which had asked for more than $400,000 in compensatory damages, based on the time its employees had to dedicate to remediate the attacks, investigate them, and push fixes to patch the vulnerability abused by NSO Group, as well as unspecified punitive damages.
WhatsApp’s spokesperson Zade Alsawah said in a statement that “our court case has made history as the first victory against illegal spyware that threatens the safety and privacy of everyone.”
Alsawah said the ruling “is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone. Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.”
NSO Group’s spokesperson Gil Lainer left the door open for an appeal.
“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer said in a statement.
A Chinese startup, Sand AI, appears to be blocking certain politically sensitive images from its online video generation tool.
A China-based startup, Sand AI, has released an openly licensed, video-generating AI model that’s garnered praise from entrepreneurs like the founding director of Microsoft Research Asia, Kai-Fu Lee. But Sand AI appears to be censoring the hosted version of its model to block images that might raise the ire of Chinese regulators from the hosted version of the model, according to TechCrunch’s testing.
Earlier this week, Sand AI announced Magi-1, a model that generates videos by “autoregressively” predicting sequences of frames. The company claims the model can generate high-quality, controllable footage that captures physics more accurately than rival open models.
The crosswalk buttons, which include audio alerts, were hacked over the weekend.
"Don't do crime," the ransomware gang's dark web leak site reads.
Are you willing to hack and take control of Chinese websites for a random person for up to $100,000 a month?
Someone is making precisely that tantalizing, bizarre, and clearly sketchy job offer. The person is using what looks like a series of fake accounts with avatars displaying photos of attractive women and sliding into the direct messages of several cybersecurity professionals and researchers on X in the last couple of weeks.
Cybersecurity firm Lookout found several samples of a North Korean spyware it calls KoSpy.
Affected staff say more than 100 employees working to protect U.S. government networks were ‘axed’ with no prior warning
Another little-known phone monitoring outfit has quietly amassed half a million customers, whose email addresses are now in Have I Been Pwned.
Amnesty International said that Google fixed previously unknown flaws in Android that allowed authorities to unlock phones using forensic tools. On
Security researchers found evidence that Cellebrite was used by Serbian police to hack into the cellphones of a local journalist and an activist.
North Korea is behind the massive crypto hack, according to several blockchain monitoring firms and a well-known researcher
