Highly sensitive personal data belonging to a European celebrity — apparently gathered through stalkerware or spyware — was left publicly exposed online until a security researcher discovered and flagged the breach, illustrating in stark terms the compounding dangers faced by victims of covert surveillance software.
A security researcher recently uncovered publicly accessible data that appears to have been compiled using spyware targeting a European celebrity, according to a report by WIRED. The incident underscores what privacy advocates have long warned: the dangers of stalkerware do not end with the act of surveillance itself — they extend to the catastrophic risks of that data being further exposed, leaked, or misused.
Stalkerware refers to a category of software typically installed covertly on a victim's device, often by an intimate partner or abuser, designed to secretly monitor calls, messages, location, photos, and other sensitive information. The data gathered can be extraordinarily intimate, capturing virtually every aspect of a person's private life.
In this case, the data — which reportedly included highly personal information — was not secured behind adequate access controls, meaning it was potentially visible to anyone who stumbled upon or searched for it. The researcher who found the exposure alerted relevant parties, prompting the data to be taken down. The identity of the celebrity and the specific stalkerware platform involved have not been publicly disclosed.
The episode highlights what security researchers describe as a "double victimisation" problem inherent to stalkerware: first, the person is surveilled without their knowledge or consent; second, that sensitive information is then stored — often by poorly secured third-party operators — creating an additional layer of risk.
Coalition Against Stalkerware, an international advocacy group, has previously documented numerous cases in which stalkerware companies have themselves suffered data breaches, exposing victims' information to hackers, the public, or both. Researchers at cybersecurity firms including Kaspersky and ESET have repeatedly flagged the security deficiencies common among stalkerware vendors.
Legal frameworks around stalkerware vary considerably by jurisdiction. In the European Union, the General Data Protection Regulation (GDPR) imposes strict obligations on how personal data is collected and stored, though enforcement against stalkerware operators — many of which operate across borders or in legal grey zones — remains patchy. In the United States, the Federal Trade Commission has taken action against a small number of stalkerware companies in recent years, though advocates say enforcement has not kept pace with the proliferation of such tools.
Privacy researchers note that celebrities and public figures may be at heightened risk of targeted spyware deployment due to their high profiles, but stress that stalkerware victims are overwhelmingly ordinary people, most commonly women in abusive relationships. Domestic violence organisations frequently encounter clients whose abusers have used such tools to monitor and control them.
Analysis
Why This Matters
- Stalkerware victims face a compounded privacy nightmare: not only is their data harvested covertly, but it may then be stored insecurely by third-party operators, leaving them exposed to further harms including public exposure, blackmail, or harassment.
- This incident reinforces longstanding concerns that stalkerware companies operate with minimal accountability and inadequate data security practices, even as the tools they sell are used to facilitate domestic abuse and coercive control.
- Regulatory and law enforcement responses remain fragmented globally, meaning victims have limited recourse even when violations are documented.
Background
Stalkerware has existed in various forms since the early days of mobile computing, but the proliferation of smartphones dramatically expanded its reach and capability. By the 2010s, a cottage industry of commercial spyware products — often marketed under euphemisms like "parental monitoring" or "employee tracking" software — had emerged, with many explicitly targeting intimate partners.
The cybersecurity community began formally documenting the stalkerware problem in the mid-2010s. A landmark 2019 investigation by Motherboard (Vice) exposed how companies like FlexiSpy and mSpy operated openly, marketing surveillance capabilities to abusers. That same year, the Coalition Against Stalkerware was founded, bringing together domestic violence advocates and cybersecurity researchers.
Since 2020, multiple stalkerware vendors have suffered significant data breaches — including TheTruthSpy, Spyfone, and others — exposing the data of tens of thousands of victims. The FTC has taken enforcement action in a handful of cases, but critics argue the penalties have been insufficient to deter the broader industry.
Key Perspectives
Security Researchers: Argue that this case exemplifies a systemic failure — stalkerware operators routinely store sensitive victim data with poor security hygiene, creating a ticking clock for additional breaches. They call for stronger regulatory action and improved detection tools built into mobile operating systems.
Privacy and Domestic Violence Advocates: Emphasise that while celebrity cases attract media attention, the vast majority of stalkerware victims are survivors of intimate partner violence for whom the exposure of such data can have life-threatening consequences. They call for better victim support resources and clearer legal pathways for redress.
Critics/Skeptics: Some legal scholars caution that overly broad crackdowns on monitoring software could inadvertently restrict legitimate uses, such as parental monitoring of young children. They argue the focus should be on consent and transparency rather than blanket prohibition — though most concede that covert installation is indefensible regardless of context.
What to Watch
- Whether European data protection authorities launch an investigation under GDPR, which could result in significant penalties if a covered entity is found responsible for the exposure.
- Identification of the specific stalkerware platform involved — if named, it could face regulatory scrutiny, civil litigation, or pressure from app stores and payment processors to delist its services.
- Broader legislative momentum: several EU member states and US states are currently considering or have recently enacted laws specifically targeting stalkerware; this incident may accelerate those efforts.