A cloud repository containing nearly 90,000 screenshots of a European celebrity’s private messages, photos, and phone activity was left publicly accessible on the open internet with no access controls, according to findings released Thursday by security researcher Jeremiah Fowler of Black Hills Information Security.
The exposed data — spanning mid-2024 to mid-2025 — appeared to have been gathered using Cocospy, a known off-the-shelf spyware tool. The repository was named “Cocospy,” which first drew Fowler’s attention. The files carried all the hallmarks of stalkerware-collected data: screenshots of sensitive digital activity taken at regular intervals across a defined time period.
Among the 86,859 images were private conversations across Instagram, Facebook, TikTok, and WhatsApp, along with nudity, business invoices, personal payment details, phone numbers, and partial credit card numbers. The celebrity’s contacts — including models, influencers, and other high-profile individuals with millions of social media followers — were also captured in the data. “You capture the initial victim, but you also victimize everyone they communicate with,” Fowler told WIRED.
Fowler has declined to name the apparent victim or their associates, citing privacy concerns. He reported the incident to local law enforcement and notified the unnamed cloud hosting company, which then contacted the data’s owner to have it secured.
Cocospy, along with two related apps sharing much of the same source code, went offline in early 2025 after a separate security flaw exposed vast amounts of victim data and millions of customer email addresses. Security researcher Vangelis Stykas, who analyzed Cocospy, described it as “full-blown spyware” that “pretty much uploads everything from your phone to their cloud,” including a stealth mode capable of taking screenshots every few minutes.
The case illustrates a risk that digital rights advocates have long warned about: stalkerware does not only violate a victim’s privacy directly — it also creates a secondary exposure risk if the collected data is later accessed by an unrelated third party. This incident suggests that risk is not theoretical.
Source: WIRED