Hacked, leaked, exposed: Why you should never use stalkerware apps

There is simply a full shady manufacture for radical who privation to show and spy connected their families. Multiple app makers beforehand and advertise their bundle — often referred to arsenic stalkerware — to jealous partners who tin usage these apps to entree their victims’ phones remotely.  

Yet, contempt however delicate this idiosyncratic information is, an expanding fig of these companies are losing immense amounts of it.  

According to TechCrunch’s ongoing tally, including the most caller information spill involving uMobix, determination person been astatine slightest 27 stalkerware companies since 2017 that are known to person been hacked, oregon leaked lawsuit and victims’ information online. 

That’s not a typo. Dozens of stalkerware companies person either been hacked oregon had a important information vulnerability successful caller years. And astatine slightest 4 stalkerware companies were hacked aggregate times.

The makers of uMobix and associated mobile tracking apps, similar Geofinder and Peekviewer, are the latest stalkerware supplier to exposure delicate lawsuit data, after a hacktivist scraped the outgo accusation of much than 500,000 customers and published them online. The hacktivist said they did this arsenic a mode to spell aft stalkerware apps, pursuing successful the footsteps of two groups of hacktivists who broke into Retina-X and FlexiSpy astir a decennary ago.

The uMobix information leak comes aft past years’ breach of Catwatchful, which was utilized to compromise the telephone information of astatine slightest 26,000 victims. Catwatchful was conscionable 1 of respective stalkerware incidents successful 2025, which included SpyX, and the information exposures of Cocospy, Spyic, and Spyzie surveillance operations, which near messages, photos, telephone logs, and different idiosyncratic and delicate information of millions of victims exposed online, according to a information researcher who recovered a bug that allowed them to entree that data.

Prior to 2025, determination were astatine slightest 4 monolithic stalkerware hacks successful 2024. 

The past stalkerware breach successful 2024 affected Spytech, a little-known spyware shaper based successful Minnesota, which exposed enactment logs from the phones, tablets, and computers monitored with its spyware. Before that, determination was a breach astatine mSpy, 1 of the longest-running stalkerware apps, which exposed millions of lawsuit enactment tickets, which included the idiosyncratic information of millions of its customers.  

Previously, an chartless hacker broke into the servers of the U.S.-based stalkerware shaper pcTattletale. The hacker past stole and leaked the company’s interior data. They besides defaced pcTattletale’s authoritative website with the extremity of embarrassing the company. The hacker referred to a caller TechCrunch nonfiction wherever we reported pcTattletale was utilized to show respective beforehand table check-in computers astatine a U.S. edifice chain.  

As a effect of this hack, leak, and shame operation, pcTattletale laminitis Bryan Fleming said helium was shutting down his company. Earlier this year, Fleming pled guilty to charges of machine hacking, the merchantability and advertizing of surveillance bundle for unlawful uses, and conspiracy. 

Consumer spyware apps similar uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are commonly referred to arsenic “stalkerware” (or spouseware) due to the fact that jealous spouses and partners usage them to surreptitiously show and surveil their loved ones.  

These companies often explicitly marketplace their products arsenic solutions to drawback cheating partners by encouraging amerciable and unethical behavior. There person been multiple tribunal cases, media investigations and surveys of home maltreatment shelters that amusement that online stalking and monitoring tin pb to cases of real-world harm and violence.

That’s successful portion wherefore hackers person repeatedly targeted immoderate of these companies. 

Eva Galperin, the manager of cybersecurity astatine the Electronic Frontier Foundation and a starring researcher and activistic who has investigated and fought stalkerware for years, said the stalkerware manufacture is simply a “soft target.”  

“The radical who tally these companies are possibly not the astir scrupulous oregon truly acrophobic astir the prime of their product,” Galperin told TechCrunch. 

Given the past of stalkerware compromises, that whitethorn beryllium an understatement. And due to the fact that of the deficiency of attraction for protecting their ain customers — and consequently the idiosyncratic information of tens of thousands of unwitting victims — utilizing these apps is doubly irresponsible. The stalkerware customers whitethorn beryllium breaking the law, abusing their partners by illegally spying connected them, and, connected apical of that, putting everyone’s information successful danger. 

A past of stalkerware hacks

The flurry of stalkerware breaches began successful 2017 erstwhile a radical of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy backmost to back. Those 2 hacks revealed that the companies had a full fig of 130,000 customers each implicit the world. 

At the time, the hackers who — proudly — claimed work for the compromises explicitly said their motivations were to exposure and hopefully assistance destruct an manufacture that they see toxic and unethical. 

“I’m going to pain them to the ground, and permission perfectly obscurity for immoderate of them to hide,” 1 of the hackers progressive past told Motherboard.  

Referring to FlexiSpy, the hacker added: “I anticipation they’ll autumn isolated and neglect arsenic a company, and person immoderate clip to bespeak connected what they did. However, I fearfulness they mightiness effort and springiness commencement to themselves again successful a caller form. But if they do, I’ll beryllium there.” 

Despite the hack, and years of antagonistic nationalist attention, FlexiSpy is inactive progressive today. The aforesaid cannot beryllium said astir Retina-X. 

The hacker who broke into Retina-X wiped its servers with the extremity of hampering its operations. The institution bounced backmost — and past it got hacked again a twelvemonth later. A mates of weeks aft the 2nd breach, Retina-X announced that it was shutting down.  

Just days aft the 2nd Retina-X breach, hackers deed Mobistealth and Spy Master Pro, stealing gigabytes of lawsuit and concern records, arsenic good arsenic victims’ intercepted messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman, encountered the aforesaid destiny a fewer months later, with hackers stealing substance messages and telephone metadata, which contained logs of who called who and when.  

Weeks later, determination was the archetypal lawsuit of accidental information exposure, alternatively than a hack.  

SpyFone near an Amazon-hosted S3 retention bucket unprotected online, which meant anyone could presumption and download substance messages, photos, audio recordings, contacts, determination data, scrambled passwords and login information, Facebook messages, and more. All that information was stolen from victims, astir of whom did not cognize they were being spied on, fto unsocial cognize their astir delicate idiosyncratic information was besides connected the net for each to see.  

Apart from uMobix, different stalkerware companies that implicit the years person irresponsibly near lawsuit and victims’ information online include: FamilyOrbit, which near 281 gigabytes of idiosyncratic information online protected lone by an easy-to-find password; mSpy, which leaked implicit 2 cardinal lawsuit records successful 2018; Xnore, which let immoderate of its customers spot the idiosyncratic information of different customers’ targets, including chat messages, GPS coordinates, emails, photos, and more; and MobiiSpy, which near 25,000 audio recordings and 95,000 images on a server accessible to anyone. 

The database goes on: KidsGuard successful 2020 had a misconfigured server that leaked victims’ content; pcTattletale, which anterior to its 2024 hack besides exposed screenshots of victims’ devices uploaded successful real-time to a website that anyone could access; and Xnspy, whose developers left credentials and backstage keys near successful the apps’ code, allowing anyone to entree victims’ data; Spyzie, Cocospy and Spyic, which near victims’ messages, photos, telephone logs, and different idiosyncratic data, arsenic good arsenic customers’ email addresses, exposed online; and Catwatchful, which exposed the afloat database of email addresses and plaintext passwords of customers. 

As acold arsenic different stalkerware companies that really got hacked, isolated from SpyX earlier successful 2025, determination was Copy9, which saw a hacker bargain the information of each its surveillance targets, including substance messages and WhatsApp messages, telephone recordings, photos, contacts, and brows history; LetMeSpy, which unopen down aft hackers breached and wiped its servers; and the Brazil-based WebDetetive, which besides got its servers deleted, and then hacked again.

There was besides OwnSpy, which provides overmuch of the back-end bundle for WebDetetive, which was hacked; Spyhide, which had a vulnerability successful its codification that allowed a hacker to entree the back-end databases and years of stolen astir 60,000 victims’ data; Oospy, which was a rebrand of Spyhide, unopen down for a 2nd tim; and mSpy again.Finally determination is TheTruthSpy, a network of stalkerware apps, which holds the dubious grounds of having been hacked oregon having leaked information connected astatine slightest three separate occasions. 

Hacked, but unrepented

Of these 27 stalkerware companies, 8 person unopen down, according to TechCrunch’s tally.  

In a archetypal and truthful acold unsocial case, the Federal Trade Commission banned SpyFone and its main executive, Scott Zuckerman, from operating successful the surveillance manufacture pursuing an earlier information lapse that exposed victims’ data. Another linked cognition called SpyTrac shut down pursuing a TechCrunch investigation. Last year, the FTC upheld its ban connected Zuckerman. 

PhoneSpector and Highster, 2 stalkerware apps that are not known to person been hacked, also unopen down aft New York’s lawyer wide accused the companies of explicitly encouraging customers to usage their bundle for amerciable surveillance.  

But a institution closing doesn’t mean it’s gone forever. As with Spyhide and SpyFone, immoderate of the aforesaid owners and developers down a shuttered stalkerware shaper simply rebranded.  

“I bash deliberation that these hacks bash things. They bash execute things, they bash enactment a dent successful it,” Galperin said. “But if you deliberation that if you hack a stalkerware company, that they volition simply shingle their fists, curse your name, vanish successful a puff of bluish fume and ne'er beryllium seen again, that has astir decidedly not been the case.” 

“What happens astir often, erstwhile you really negociate to termination a stalkerware company, is that the stalkerware institution comes up similar mushrooms aft the rain,” Galperin added. 

There is immoderate bully news. In a study successful 2023, information steadfast Malwarebytes said that the usage of stalkerware is declining, according to its ain information of customers infected with this benignant of software. Also, Galperin reports seeing an summation successful antagonistic reviews of these apps, with customers oregon prospective customers complaining they don’t enactment arsenic intended. 

But, Galperin said that it’s imaginable that information firms are not arsenic bully astatine detecting stalkerware arsenic they utilized to be, oregon stalkers person moved from software-based surveillance to carnal surveillance enabled by AirTags and different Bluetooth-enabled trackers. 

“Stalkerware does not beryllium successful a vacuum. Stalkerware is portion of a full satellite of tech-enabled abuse,” Galperin said.

Say nary to stalkerware

Using spyware to show your loved ones is not lone unethical, it’s besides amerciable successful astir jurisdictions, arsenic it’s considered unlawful surveillance.  

That is already a important crushed not to usage stalkerware. Then determination is the contented that stalkerware makers person proven clip and clip again that they cannot support information unafraid — neither information belonging to the customers nor their victims oregon targets. 

Apart from spying connected romanticist partners and spouses, immoderate radical usage stalkerware apps to show their children. While this benignant of use, astatine slightest successful the United States, is legal, it doesn’t mean utilizing stalkerware to snoop connected your kids’ telephone isn’t creepy and unethical.  

Even if it’s utilized successful a lawful way, Galperin thinks parents should not spy connected their children without telling them, and without their consent. 

If parents bash pass their children and get their go-ahead, parents should enactment distant from insecure and untrustworthy stalkerware apps, and usage parental tracking tools built into Apple phones and tablets and Android devices that are safer and run overtly.  

Recap of breaches and leaks

Here’s the implicit database of stalkerware companies that person been hacked oregon person leaked delicate information since 2017, successful chronological order:

• Retina-X (2017, 2018)
• FlexiSpy (2017)
• Mobistealth (2018)
• Spy Master Pro (2018)
• SpyHuman (2018)
• SpyFone (2018)
• Family Orbit (2018)
• mSpy (2018, 2024)
• Xnore (2018)
• Copy9 (2018)
• MobiiSpy (2019)
• KidsGuard (2020)
• pcTattletale (2021, 2024)
• Xnspy (2022, 2026) 
• Spyhide (2023)
• TheTruthSpy (2018, 2022, 2023, 2024)
• LetMeSpy (2023)
• WebDetetive (2023, 2024)
• OwnSpy (2023)
• Oospy (2023)
• Spytech (2024)
• Cocospy (2025)
• Spyic (2025)
• Spyzie (2025)
• SpyX (2025)
• Catwatchful (2025)
• uMobix (2026)

First published connected July 16, 2024 and updated to see uMobix arsenic the latest stalkerware apps to person a information issue.

If you oregon idiosyncratic you cognize needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential enactment to victims of home maltreatment and violence. If you are successful an exigency situation, telephone 911. The Coalition Against Stalkerware has resources if you deliberation your telephone has been compromised by spyware.