\n<\/p>\n
There is a whole shady industry for people who want to monitor and spy on their families. Multiple app makers promote and advertise their software \u2014 often referred to as stalkerware<\/a> \u2014 to jealous partners who can use these apps to access their victims\u2019 phones remotely.\u00a0\u00a0<\/p>\n Yet, despite how sensitive this personal data is, an increasing number of these companies are losing huge amounts of it.\u00a0\u00a0<\/p>\n According to TechCrunch\u2019s ongoing tally, including the most recent data spill involving uMobix<\/a>, there have been at least 27 stalkerware companies since 2017 that are known to have been hacked or leaked customer and victims\u2019 data online.\u00a0<\/p>\n That\u2019s not a typo. Dozens of stalkerware companies have either been hacked or had a significant data exposure in recent years. And at least four stalkerware companies were hacked multiple times.<\/p>\n The makers of uMobix and associated mobile tracking apps, like Geofinder and Peekviewer, are the latest stalkerware providers to expose sensitive customer data, after a hacktivist scraped the payment information of more than 500,000 customers<\/a> and published them online. The hacktivist said they did this as a way to go after stalkerware apps, following in the footsteps of two groups of hacktivists<\/a> that broke into Retina-X and FlexiSpy almost a decade ago.<\/p>\n The uMobix data leak comes after last year\u2019s breach of Catwatchful, which was used to compromise the phone data of at least 26,000 victims. Catwatchful was just one of several stalkerware incidents in 2025, which included SpyX<\/a>, and the data exposures of Cocospy, Spyic<\/a>, and Spyzie<\/a> surveillance operations, which left messages, photos, call logs, and other personal and sensitive data of millions of victims exposed online, according to a security researcher who found a bug that allowed them to access that data.<\/p>\n Prior to 2025, there were at least four massive stalkerware hacks in 2024.\u00a0<\/p>\n The last stalkerware breach in 2024 affected Spytech, a little-known spyware maker based in Minnesota<\/a>, which exposed activity logs from the phones, tablets, and computers monitored with its spyware. Before that, there was a breach at mSpy, one of the longest-running stalkerware apps, which exposed millions of customer support tickets<\/a>, which included the personal data of millions of its customers.\u00a0\u00a0<\/p>\n Previously, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale<\/a>. The hacker then stole and leaked the company\u2019s internal data. They also defaced pcTattletale\u2019s official website with the goal of embarrassing the company. The hacker referred to a recent TechCrunch article where we reported pcTattletale was used to monitor several front desk check-in computers<\/a> at a U.S. hotel chain.\u00a0\u00a0<\/p>\n As a result of this hack, leak, and shame operation, pcTattletale founder Bryan Fleming said he was shutting down<\/a> his company. Earlier this year, Fleming pled guilty<\/a> to charges of computer hacking, the sale and advertising of surveillance software for unlawful uses, and conspiracy.\u00a0<\/p>\n Consumer spyware apps like uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are commonly referred to as \u201cstalkerware\u201d (or spouseware) because jealous spouses and partners use them to surreptitiously monitor and surveil their loved ones.\u00a0\u00a0<\/p>\n These companies often explicitly market their products as solutions to catch cheating partners by encouraging illegal and unethical behavior. There have been multiple court cases<\/a>, media investigations<\/a> and surveys of domestic abuse shelters<\/a> that show that online stalking and monitoring can lead to cases of real-world harm and violence.<\/p>\n That\u2019s in part why hackers have repeatedly targeted some of these companies.\u00a0<\/p>\n Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has investigated and fought stalkerware for years, said the stalkerware industry is a \u201csoft target.\u201d\u00a0\u00a0<\/p>\n \u201cThe people who run these companies are perhaps not the most scrupulous or really concerned about the quality of their product,\u201d Galperin told TechCrunch.\u00a0<\/p>\n Given the history of stalkerware compromises, that may be an understatement. And because of the lack of care for protecting their own customers \u2014 and consequently the personal data of tens of thousands of unwitting victims \u2014 using these apps is doubly irresponsible. The stalkerware customers may be breaking the law, abusing their partners by illegally spying on them, and, on top of that, putting everyone\u2019s data in danger.\u00a0<\/p>\n The flurry of stalkerware breaches began in 2017 when a group of hackers breached the U.S.-based Retina-X<\/a> and the Thailand-based FlexiSpy<\/a> back to back. Those two hacks revealed that the companies had a total number of 130,000 customers all over the world.\u00a0<\/p>\n At the time, the hackers who \u2014 proudly \u2014 claimed responsibility for the compromises explicitly said their motivations were to expose and hopefully help destroy an industry that they consider toxic and unethical.\u00a0<\/p>\n \u201cI\u2019m going to burn them to the ground, and leave absolutely nowhere for any of them to hide,\u201d one of the hackers involved then told Motherboard.\u00a0\u00a0<\/p>\n Referring to FlexiSpy, the hacker added: \u201cI hope they\u2019ll fall apart and fail as a company, and have some time to reflect on what they did. However, I fear they might try and give birth to themselves again in a new form. But if they do, I\u2019ll be there.\u201d\u00a0<\/p>\n Despite the hack, and years of negative public attention, FlexiSpy is still active today. The same cannot be said about Retina-X.\u00a0<\/p>\n The hacker who broke into Retina-X wiped its servers with the goal of hampering its operations. The company bounced back \u2014 and then it got hacked again a year later<\/a>. A couple of weeks after the second breach, Retina-X announced that it was shutting down<\/a>.\u00a0\u00a0<\/p>\n Just days after the second Retina-X breach, hackers hit Mobistealth and Spy Master Pro<\/a>, stealing gigabytes of customer and business records, as well as victims\u2019 intercepted messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman<\/a>, encountered the same fate a few months later, with hackers stealing text messages and call metadata, which contained logs of who called who and when.\u00a0\u00a0<\/p>\n Weeks later, there was the first case of accidental data exposure, rather than a hack.\u00a0\u00a0<\/p>\n SpyFone left an Amazon-hosted S3 storage bucket unprotected online<\/a>, which meant anyone could view and download text messages, photos, audio recordings, contacts, location data, scrambled passwords and login information, Facebook messages, and more. All that data was stolen from victims, most of whom did not know they were being spied on, let alone know their most sensitive personal data was also on the internet for all to see.\u00a0\u00a0<\/p>\n Apart from uMobix, other stalkerware companies that over the years have irresponsibly left customer and victims\u2019 data online include: FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easy-to-find password<\/a>; mSpy, which leaked over 2 million customer records<\/a> in 2018; Xnore, which let any of its customers see the personal data of other customers\u2019 targets<\/a>, including chat messages, GPS coordinates, emails, photos, and more; and MobiiSpy, which left 25,000 audio recordings and 95,000 images on a server accessible to anyone<\/a>.\u00a0<\/p>\n The list goes on: KidsGuard in 2020 had a misconfigured server that leaked victims\u2019 content<\/a>; pcTattletale, which prior to its 2024 hack also exposed screenshots of victims\u2019 devices uploaded in real-time<\/a> to a website that anyone could access; and Xnspy, whose developers left credentials and private keys left in the apps\u2019 code<\/a>, allowing anyone to access victims\u2019 data; Spyzie<\/a>, Cocospy and Spyic<\/a>, which left victims\u2019 messages, photos, call logs, and other personal data, as well as customers\u2019 email addresses, exposed online; and Catwatchful<\/a>, which exposed the full database of email addresses and plaintext passwords of customers.\u00a0<\/p>\n As far as other stalkerware companies that actually got hacked, apart from SpyX earlier in 2025<\/a>, there was Copy9, which saw a hacker steal the data of all its surveillance targets<\/a>, including text messages and WhatsApp messages, call recordings, photos, contacts, and brows history; LetMeSpy, which shut down after hackers breached and wiped its servers<\/a>; and the Brazil-based WebDetetive, which also got its servers deleted<\/a>, and then hacked again<\/a>.<\/p>\n There was also OwnSpy, which provides much of the back-end software for WebDetetive, which was hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to access the back-end databases<\/a> and years of stolen around 60,000 victims\u2019 data; Oospy, which was a rebrand of Spyhide,<\/a> shut down for a second tim; and mSpy again.Finally there is TheTruthSpy, a network of stalkerware apps<\/a>, which holds the dubious record of having been hacked or having leaked data on at least three<\/a> separate<\/a> occasions<\/a>.\u00a0<\/p>\n Of these 27 stalkerware companies, eight have shut down, according to TechCrunch\u2019s tally.\u00a0\u00a0<\/p>\n In a first and so far unique case, the Federal Trade Commission banned SpyFone and its chief executive, Scott Zuckerman<\/a>, from operating in the surveillance industry following an earlier security lapse that exposed victims\u2019 data. Another linked operation called SpyTrac shut down<\/a> following a TechCrunch investigation. Last year, the FTC upheld its ban<\/a> on Zuckerman.\u00a0<\/p>\n PhoneSpector and Highster, two stalkerware apps that are not known to have been hacked, also shut down<\/a> after New York\u2019s attorney general accused the companies of explicitly encouraging customers to use their software for illegal surveillance.\u00a0\u00a0<\/p>\n But a company closing doesn\u2019t mean it\u2019s gone forever. As with Spyhide and SpyFone, some of the same owners and developers behind a shuttered stalkerware maker simply rebranded.\u00a0\u00a0<\/p>\n \u201cI do think that these hacks do things. They do accomplish things, they do put a dent in it,\u201d Galperin said. \u201cBut if you think that if you hack a stalkerware company, that they will simply shake their fists, curse your name, disappear in a puff of blue smoke and never be seen again, that has most definitely not been the case.\u201d\u00a0<\/p>\n \u201cWhat happens most often, when you actually manage to kill a stalkerware company, is that the stalkerware company comes up like mushrooms after the rain,\u201d Galperin added.\u00a0<\/p>\n There is some good news. In a report in 2023, security firm Malwarebytes said that the use of stalkerware is declining<\/a>, according to its own data of customers infected with this type of software. Also, Galperin reports seeing an increase in negative reviews of these apps, with customers or prospective customers complaining they don\u2019t work as intended.\u00a0<\/p>\n But, Galperin said that it\u2019s possible that security firms are not as good at detecting stalkerware as they used to be, or stalkers have moved from software-based surveillance to physical surveillance enabled by AirTags and other Bluetooth-enabled trackers.\u00a0<\/p>\n \u201cStalkerware does not exist in a vacuum. Stalkerware is part of a whole world of tech-enabled abuse,\u201d Galperin said.<\/p>\n Using spyware to monitor your loved ones is not only unethical, it\u2019s also illegal in most jurisdictions, as it\u2019s considered unlawful surveillance.\u00a0\u00a0<\/p>\n That is already a significant reason not to use stalkerware. Then there is the issue that stalkerware makers have proven time and time again that they cannot keep data secure \u2014 neither data belonging to the customers nor their victims or targets.\u00a0<\/p>\n Apart from spying on romantic partners and spouses, some people use stalkerware apps to monitor their children. While this type of use, at least in the United States, is legal, it doesn\u2019t mean using stalkerware to snoop on your kids\u2019 phone isn\u2019t creepy and unethical.\u00a0\u00a0<\/p>\n Even if it\u2019s used in a lawful way, Galperin thinks parents should not spy on their children without telling them, and without their consent.\u00a0<\/p>\n If parents do inform their children and get their go-ahead, parents should stay away from insecure and untrustworthy stalkerware apps, and use parental tracking tools built into Apple phones and tablets<\/a> and Android devices<\/a> that are safer and operate overtly. \u00a0<\/p>\n Here\u2019s the complete list of stalkerware companies that have been hacked or have leaked sensitive data since 2017, in chronological order:<\/p>\n If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24\/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The <\/em>Coalition Against Stalkerware<\/em><\/a> has resources if you think your phone has been compromised by spyware.<\/em><\/p>\n<\/div>\nA history of stalkerware hacks<\/h2>\n
Hacked, but unrepented<\/strong><\/h2>\n
Say no to stalkerware<\/strong><\/h2>\n
Recap of breaches and leaks<\/strong><\/h2>\n
\n