Back in 2013, Robin McGraw, wife of U.S. television personality Dr. Phil, launched an app to help domestic violence victims covertly signal for distress. It was quickly heralded as a potential lifesaver for those in harm’s way.
Aspire News, which claims over 300,000 downloads, is disguised to look like an innocuous news reading app that domestic violence victims can use to alert friends and family to abuse or danger. When a victim taps the top bar of the app three times, the app can alert trusted contacts with a prewritten message, a prerecorded voice note and the victim’s precise location by text message to indicate that they need help or are in danger.
But a security lapse meant that those uploaded voice recordings were left exposed on an unprotected cloud server for anyone to access.
Security researchers Noam Rotem and Ran Locar found the exposed recordings and reported the incident. The database was pulled offline shortly after. Rotem and Locar shared their findings exclusively with TechCrunch.
The cloud server contained over 4,000 recordings, dating back to September 2017. The recordings varied in length and nature, but some contained personally identifiable information, such as their name, address and phone number — information that could be relayed to the emergency services.
At least one recording we listened to explicitly stated the name of the victim’s abuser.
Given the sensitivity of the data, we did not reach out to app users for fear that it would compromise their safety.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Instead, we confirmed that the data belonged to Aspire by downloading the app and recording a short voice snippet. When we triggered the alert, we received a text message with a web address to the recording file stored on the cloud server. That means anyone who received a similar link to a recording file could have easily found other recordings simply by shortening the full link.
We asked the foundation run by the McGraws, When Georgia Smiled, how long the cloud server was exposed and if it had plans to inform users of the security lapse, but a representative for the foundation did not comment.
A spokesperson for CBS, which airs Dr. Phil, did not respond to a request for comment.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911.
A ‘stalkerware’ app leaked phone data from thousands of victims
