These days there’s an app for everything. While that’s convenient, there’s also a downside: The real possibility of users’ data getting into the wrong hands.

Motherboard reports that a popular app called Xnore was mistakenly allowing users of its service to intercept and retain information from other users on Xnore’s site – roughly 28,000 people. This was revealed only after an anonymous hacker’s discovery and subsequent tip.

The Xnore app, which records all communications, including Facebook and WhatsApp messages, emails, texts and phone calls, was designed from the start to allow spying – for instance, parents on children, companies on employees, spouses on each other. But a flaw in its map feature kicked the spying capability up a notch.

Explains Motherboard, “Customer accounts were exposed by a map feature on Xnore’s website. The flaw allowed anyone who viewed the HTML code of the page to see the mobile identifier used by Xnore to view any collected data. This identifier could then be used to add the intercepted data of someone else’s account to your own.”

This breach of security is part of a growing wave of inadequate “stalkerware” security practices. As a result, the volume of personal data and sensitive details exposed on the web is creating an unsafe environment for those targeted through the applications.

Interestingly, Motherboard notes that Xnore’s website uses some of the same marketing images and text as FlexiSpy, yet another spyware company that has been in the news. According to Motherboard, FlexiSpy denies any connection to Xnore.

The hacker who tipped off Motherboard about the Xnore breach has also discovered personal data security breaches in apps such as Copy9 and TheTruthSpy. As more mobile applications pop up, it becomes increasingly important to understand what personal data is being uploaded to these apps, and how much sensitive information is stored on a mobile device in general.

Get the full story at Motherboard