There’s a complete shady business for individuals who need to monitor and spy on their households. A number of app makers promote and promote their software program — also known as stalkerware — to jealous companions who can use these apps to entry their victims’ telephones remotely.
But, regardless of how delicate this private knowledge is, an rising variety of these corporations are dropping enormous quantities of it.
In response to TechCrunch’s ongoing tally, together with the newest knowledge spill involving uMobix, there have been a minimum of 27 stalkerware corporations since 2017 which can be recognized to have been hacked or leaked buyer and victims’ knowledge on-line.
That’s not a typo. Dozens of stalkerware corporations have both been hacked or had a big knowledge publicity in recent times. And a minimum of 4 stalkerware corporations had been hacked a number of instances.
The makers of uMobix and related cellular monitoring apps, like Geofinder and Peekviewer, are the most recent stalkerware suppliers to reveal delicate buyer knowledge, after a hacktivist scraped the fee info of greater than 500,000 clients and revealed them on-line. The hacktivist mentioned they did this as a method to go after stalkerware apps, following within the footsteps of two groups of hacktivists that broke into Retina-X and FlexiSpy nearly a decade in the past.
The uMobix knowledge leak comes after final yr’s breach of Catwatchful, which was used to compromise the telephone knowledge of a minimum of 26,000 victims. Catwatchful was simply considered one of a number of stalkerware incidents in 2025, which included SpyX, and the information exposures of Cocospy, Spyic, and Spyzie surveillance operations, which left messages, photographs, name logs, and different private and delicate knowledge of hundreds of thousands of victims uncovered on-line, in keeping with a safety researcher who discovered a bug that allowed them to entry that knowledge.
Previous to 2025, there have been a minimum of 4 huge stalkerware hacks in 2024.
The final stalkerware breach in 2024 affected Spytech, a little-known spy ware maker based mostly in Minnesota, which uncovered exercise logs from the telephones, tablets, and computer systems monitored with its spy ware. Earlier than that, there was a breach at mSpy, one of many longest-running stalkerware apps, which uncovered hundreds of thousands of buyer help tickets, which included the private knowledge of hundreds of thousands of its clients.
Beforehand, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale. The hacker then stole and leaked the corporate’s inner knowledge. Additionally they defaced pcTattletale’s official web site with the objective of embarrassing the corporate. The hacker referred to a current TechCrunch article the place we reported pcTattletale was used to watch a number of entrance desk check-in computer systems at a U.S. resort chain.
Because of this hack, leak, and disgrace operation, pcTattletale founder Bryan Fleming mentioned he was shutting down his firm. Earlier this yr, Fleming pled responsible to fees of pc hacking, the sale and promoting of surveillance software program for illegal makes use of, and conspiracy.
Client spy ware apps like uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are generally known as “stalkerware” (or spouseware) as a result of jealous spouses and companions use them to surreptitiously monitor and surveil their family members.
These corporations usually explicitly market their merchandise as options to catch dishonest companions by encouraging unlawful and unethical conduct. There have been multiple court cases, media investigations and surveys of domestic abuse shelters that present that on-line stalking and monitoring can result in circumstances of real-world hurt and violence.
That’s partly why hackers have repeatedly focused a few of these corporations.
Eva Galperin, the director of cybersecurity on the Digital Frontier Basis and a number one researcher and activist who has investigated and fought stalkerware for years, mentioned the stalkerware business is a “smooth goal.”
“The individuals who run these corporations are maybe not probably the most scrupulous or actually involved in regards to the high quality of their product,” Galperin informed TechCrunch.
Given the historical past of stalkerware compromises, which may be an understatement. And due to the dearth of care for shielding their very own clients — and consequently the private knowledge of tens of hundreds of unwitting victims — utilizing these apps is doubly irresponsible. The stalkerware clients could also be breaking the regulation, abusing their companions by illegally spying on them, and, on prime of that, placing everybody’s knowledge in peril.
A historical past of stalkerware hacks
The flurry of stalkerware breaches started in 2017 when a gaggle of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy again to again. These two hacks revealed that the businesses had a complete variety of 130,000 clients everywhere in the world.
On the time, the hackers who — proudly — claimed accountability for the compromises explicitly mentioned their motivations had been to reveal and hopefully assist destroy an business that they think about poisonous and unethical.
“I’m going to burn them to the bottom, and depart completely nowhere for any of them to cover,” one of many hackers concerned then informed Motherboard.
Referring to FlexiSpy, the hacker added: “I hope they’ll disintegrate and fail as an organization, and have a while to mirror on what they did. Nevertheless, I worry they could attempt to give delivery to themselves once more in a brand new type. But when they do, I’ll be there.”
Regardless of the hack, and years of detrimental public consideration, FlexiSpy continues to be energetic in the present day. The identical can’t be mentioned about Retina-X.
The hacker who broke into Retina-X wiped its servers with the objective of hampering its operations. The corporate bounced again — and then it got hacked again a year later. A few weeks after the second breach, Retina-X announced that it was shutting down.
Simply days after the second Retina-X breach, hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of buyer and enterprise data, in addition to victims’ intercepted messages and exact GPS places. One other stalkerware vendor, the India-based SpyHuman, encountered the identical destiny a number of months later, with hackers stealing textual content messages and name metadata, which contained logs of who referred to as who and when.
Weeks later, there was the primary case of unintended knowledge publicity, relatively than a hack.
SpyFone left an Amazon-hosted S3 storage bucket unprotected online, which meant anybody might view and obtain textual content messages, photographs, audio recordings, contacts, location knowledge, scrambled passwords and login info, Fb messages, and extra. All that knowledge was stolen from victims, most of whom didn’t know they had been being spied on, not to mention know their most delicate private knowledge was additionally on the web for all to see.
Aside from uMobix, different stalkerware corporations that over time have irresponsibly left buyer and victims’ knowledge on-line embody: FamilyOrbit, which left 281 gigabytes of private knowledge on-line protected only by an easy-to-find password; mSpy, which leaked over 2 million buyer data in 2018; Xnore, which let any of its customers see the personal data of other customers’ targets, together with chat messages, GPS coordinates, emails, photographs, and extra; and MobiiSpy, which left 25,000 audio recordings and 95,000 photographs on a server accessible to anyone.
The record goes on: KidsGuard in 2020 had a misconfigured server that leaked victims’ content material; pcTattletale, which previous to its 2024 hack additionally exposed screenshots of victims’ devices uploaded in real-time to an internet site that anybody might entry; and Xnspy, whose builders left credentials and personal keys left within the apps’ code, permitting anybody to entry victims’ knowledge; Spyzie, Cocospy and Spyic, which left victims’ messages, photographs, name logs, and different private knowledge, in addition to clients’ electronic mail addresses, uncovered on-line; and Catwatchful, which uncovered the complete database of electronic mail addresses and plaintext passwords of consumers.
So far as different stalkerware corporations that really obtained hacked, aside from SpyX earlier in 2025, there was Copy9, which noticed a hacker steal the data of all its surveillance targets, together with textual content messages and WhatsApp messages, name recordings, photographs, contacts, and brows historical past; LetMeSpy, which shut down after hackers breached and wiped its servers; and the Brazil-based WebDetetive, which additionally obtained its servers deleted, and then hacked again.
There was additionally OwnSpy, which offers a lot of the back-end software program for WebDetetive, which was hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to entry the back-end databases and years of stolen round 60,000 victims’ knowledge; Oospy, which was a rebrand of Spyhide, shut down for a second tim; and mSpy once more.Lastly there’s TheTruthSpy, a community of stalkerware apps, which holds the doubtful file of getting been hacked or having leaked knowledge on a minimum of three separate events.
Hacked, however unrepented
Of those 27 stalkerware corporations, eight have shut down, in keeping with TechCrunch’s tally.
In a primary and up to now distinctive case, the Federal Commerce Fee banned SpyFone and its chief govt, Scott Zuckerman, from working within the surveillance business following an earlier safety lapse that uncovered victims’ knowledge. One other linked operation referred to as SpyTrac shut down following a TechCrunch investigation. Final yr, the FTC upheld its ban on Zuckerman.
PhoneSpector and Highster, two stalkerware apps that aren’t recognized to have been hacked, additionally shut down after New York’s legal professional common accused the businesses of explicitly encouraging clients to make use of their software program for unlawful surveillance.
However an organization closing doesn’t imply it’s gone ceaselessly. As with Spyhide and SpyFone, among the identical house owners and builders behind a shuttered stalkerware maker merely rebranded.
“I do assume that these hacks do issues. They do accomplish issues, they do put a dent in it,” Galperin mentioned. “However should you assume that should you hack a stalkerware firm, that they’ll merely shake their fists, curse your identify, disappear in a puff of blue smoke and by no means be seen once more, that has most undoubtedly not been the case.”
“What occurs most frequently, if you really handle to kill a stalkerware firm, is that the stalkerware firm comes up like mushrooms after the rain,” Galperin added.
There’s some excellent news. In a report in 2023, safety agency Malwarebytes mentioned that the use of stalkerware is declining, in keeping with its personal knowledge of consumers contaminated with the sort of software program. Additionally, Galperin reviews seeing a rise in detrimental critiques of those apps, with clients or potential clients complaining they don’t work as supposed.
However, Galperin mentioned that it’s potential that safety companies aren’t nearly as good at detecting stalkerware as they was, or stalkers have moved from software-based surveillance to bodily surveillance enabled by AirTags and different Bluetooth-enabled trackers.
“Stalkerware doesn’t exist in a vacuum. Stalkerware is a component of a complete world of tech-enabled abuse,” Galperin mentioned.
Say no to stalkerware
Utilizing spy ware to watch your family members isn’t solely unethical, it’s additionally unlawful in most jurisdictions, because it’s thought of illegal surveillance.
That’s already a big cause to not use stalkerware. Then there’s the difficulty that stalkerware makers have confirmed time and time once more that they can’t maintain knowledge safe — neither knowledge belonging to the shoppers nor their victims or targets.
Aside from spying on romantic companions and spouses, some individuals use stalkerware apps to watch their kids. Whereas the sort of use, a minimum of in the USA, is authorized, it doesn’t imply utilizing stalkerware to snoop in your children’ telephone isn’t creepy and unethical.
Even when it’s utilized in a lawful approach, Galperin thinks dad and mom shouldn’t spy on their kids with out telling them, and with out their consent.
If dad and mom do inform their kids and get their go-ahead, dad and mom ought to steer clear of insecure and untrustworthy stalkerware apps, and use parental monitoring instruments constructed into Apple phones and tablets and Android devices which can be safer and function overtly.
Recap of breaches and leaks
Right here’s the entire record of stalkerware corporations which were hacked or have leaked delicate knowledge since 2017, in chronological order:
First revealed on July 16, 2024 and up to date to incorporate uMobix as the most recent stalkerware apps to have a safety difficulty.
If you happen to or somebody you realize wants assist, the Nationwide Home Violence Hotline (1-800-799-7233) offers 24/7 free, confidential help to victims of home abuse and violence. If you’re in an emergency scenario, name 911. The Coalition Against Stalkerware has assets should you assume your telephone has been compromised by spy ware.
