A Stalker's Own Database Exposed 86,859 Surveillance Images
The operator who installed the spyware was the one who left the cloud bucket open.
The operator who installed the spyware was the one who left the cloud bucket open.
An unsecured, non-password-protected database containing 86,859 surveillance images — screenshots of WhatsApp, Facebook, Instagram, and TikTok activity captured from a single victim's device — was discovered exposed online by cybersecurity researcher Jeremiah Fowler, who notified law enforcement and published the findings via ExpressVPN. The apparent target, per Fowler, is a prominent European celebrity, entrepreneur, and media personality. Fowler declined to name them.
The inversion at the heart of the story: the database was not breached by an outside attacker. It was left open by the person operating the stalkerware against the victim. The spy was the one who slipped.
| Discovery Summary: Stalkerware Database Exposure | |
|---|---|
| Detail | Information |
| Researcher | Jeremiah Fowler, co-founder of Security Discovery |
| Publisher | ExpressVPN (Fowler is a regular contributor) |
| Number of images | 86,859 surveillance screenshots |
| Apparent target | A single "prominent European celebrity, entrepreneur, and media personality" (Fowler declined to name) |
| Captured platforms | WhatsApp, Facebook, Instagram, TikTok |
| Material exposed | Intimate exchanges, private images, contact info, ID documents (invoices, receipts, IDs) |
| Database operator | Single individual, not a stalkerware vendor — vendor whose name database carried was not the owner |
| Discovery mechanism | Misconfigured cloud storage with no password protection |
| Researcher actions | Notified law enforcement; reached victim via phone numbers in screenshots |
What 86,859 Surveillance Screenshots of One Person Actually Looks Like
The captured material went well beyond casual monitoring. Screenshots included intimate and romantic exchanges, private images, phone numbers, email addresses, and photos of identification documents such as invoices, receipts, and IDs. Conversations swept up by the surveillance involved influencers with millions of followers, family members, friends, and business associates — none of whom had any reason to know their messages had been captured by software running on someone else's phone.
The database carried the name of "a well-known service that provides spyware promoted as monitoring software," Fowler reported, but did not appear to belong to that vendor. The pattern is consistent with an individual operator using a commercial stalkerware product to monitor one specific target, then storing the captured screenshots in their own misconfigured cloud storage.
Fowler has more than a decade of disclosure work behind him and is a co-founder of Security Discovery. Recent prior discoveries include a 184-million-credential infostealer database in May 2025 and a 149-million-credential exposure later that year. This finding lands alongside another European-target privacy story this week.
Why Fowler Won't Name the Victim, the Operator, or the Stalkerware Vendor
The victim's identity has not been confirmed; Fowler reached the target via phone numbers visible in the screenshots, but the victim's response has not been publicly disclosed. The operator has not been named. The specific commercial stalkerware product involved has not been named — and should not be guessed at, because the database did not belong to the vendor whose name it carried. Whether the captured material has been distributed elsewhere, and whether law enforcement action has followed Fowler's report, is also not stated.
The Narrow Enterprise Read: Executive-Protection Programs and Personal Devices
The enterprise read here is narrow but real: stalkerware is a personal-device threat that almost always requires brief physical access to the target's phone — typically by an intimate partner, family member, or insider. For executives, board members, and other high-profile employees whose compromise has organizational consequences, that places personal devices inside the threat model whether IT manages them or not.
For security leaders running executive-protection programs, the action items are familiar but worth re-checking: confirm MDM coverage extends to BYOD devices used for work communications, add stalkerware indicators (unusual battery drain, unfamiliar apps, unexpected accessibility-service permissions) to mobile awareness materials for executives, and ensure your incident response plan accounts for the case where an executive's personal phone has been monitored for months while being used to discuss sensitive matters.
For everyone else, this is a privacy story, not a security-action story.
The CyberSignal Analysis
Signal 01 — Stalkerware operators are a worse adversary than the vendors they buy from
Commercial stalkerware vendors face occasional public scrutiny, defensive lawsuits, and platform-level pushback from Google and Apple. The individual operators who buy and deploy these tools face essentially none of that. Their operational security is whatever they cobble together — in this case, a cloud database with no password — and the privacy harm to victims and the people incidentally captured in the surveillance flows from those operator-side mistakes, not from the vendor's product. The privacy threat model for stalkerware is not "a vendor gets breached." It is "a single operator misconfigures one bucket."
Signal 02 — The collateral exposure of non-targets is the underreported harm in stalkerware cases
The 86,859 images captured one victim's device, but they captured conversations with influencers, family members, friends, and business associates — none of whom consented to surveillance, none of whom installed anything on their own phones. When a stalkerware database leaks, the privacy breach radiates outward to everyone the victim communicates with. That is the part of the story that does not show up in the headline number. It is also the part that makes "single-victim exposure" a misleading frame for the actual scope of harm.
