Hacked, Leaked, Exposed: Why You Should Never Use Stalkerware Apps - Beritaja

There is simply a full shady manufacture for group who want to show and spy connected their families. Multiple app makers beforehand and advertise their package — often referred to arsenic stalkerware — to suspicious partners who could usage these apps to entree their victims’ phones remotely.  

Yet, contempt really delicate this individual information is, an expanding number of these companies are losing immense amounts of it.  

According to TechCrunch’s ongoing tally, including the most caller information spill involving uMobix, location person been astatine slightest 27 stalkerware companies since 2017 that are known to person been hacked, aliases leaked customer and victims’ information online. 

That’s not a typo. Dozens of stalkerware companies person either been hacked aliases had a important information vulnerability successful caller years. And astatine slightest 4 stalkerware companies were hacked aggregate times.

The makers of uMobix and associated mobile search apps, for illustration Geofinder and Peekviewer, are the latest stalkerware supplier to expose delicate customer data, after a hacktivist scraped the costs accusation of much than 500,000 customers and published them online. The hacktivist said they did this arsenic a measurement to spell aft stalkerware apps, pursuing successful the footsteps of two groups of hacktivists who collapsed into Retina-X and FlexiSpy almost a decade ago.

The uMobix information leak comes aft past years’ breach of Catwatchful, which was utilized to discuss the telephone information of astatine slightest 26,000 victims. Catwatchful was conscionable 1 of respective stalkerware incidents successful 2025, which included SpyX, and the information exposures of Cocospy, Spyic, and Spyzie surveillance operations, which near messages, photos, telephone logs, and different individual and delicate information of millions of victims exposed online, according to a information interrogator who recovered a bug that allowed them to entree that data.

Prior to 2025, location were astatine slightest 4 monolithic stalkerware hacks successful 2024. 

The past stalkerware breach successful 2024 affected Spytech, a little-known spyware shaper based successful Minnesota, which exposed activity logs from the phones, tablets, and computers monitored pinch its spyware. Before that, location was a breach astatine mSpy, 1 of the longest-running stalkerware apps, which exposed millions of customer support tickets, which included the individual information of millions of its customers.  

Previously, an chartless hacker broke into the servers of the U.S.-based stalkerware shaper pcTattletale. The hacker past stole and leaked the company’s soul data. They besides defaced pcTattletale’s charismatic website pinch the extremity of embarrassing the company. The hacker referred to a caller TechCrunch article wherever we reported pcTattletale was utilized to show respective beforehand table check-in computers astatine a U.S. edifice chain.  

As a consequence of this hack, leak, and shame operation, pcTattletale laminitis Bryan Fleming said he was shutting down his company. Earlier this year, Fleming pled guilty to charges of machine hacking, the waste and advertizing of surveillance package for unlawful uses, and conspiracy. 

Consumer spyware apps for illustration uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are commonly referred to arsenic “stalkerware” (or spouseware) because suspicious spouses and partners usage them to surreptitiously show and surveil their loved ones.  

These companies often explicitly marketplace their products arsenic solutions to drawback cheating partners by encouraging forbidden and unethical behavior. There person been multiple tribunal cases, media investigations and surveys of home maltreatment shelters that show that online stalking and monitoring could lead to cases of real-world harm and violence.

That’s successful portion why hackers person many times targeted immoderate of these companies. 

Eva Galperin, the head of cybersecurity astatine the Electronic Frontier Foundation and a starring interrogator and activistic who has investigated and fought stalkerware for years, said the stalkerware manufacture is simply a “soft target.”  

“The group who tally these companies are possibly not the about scrupulous aliases really concerned about the value of their product,” Galperin told TechCrunch. 

Given the history of stalkerware compromises, that whitethorn beryllium an understatement. And because of the deficiency of attraction for protecting their ain customers — and result the individual information of tens of thousands of unwitting victims — utilizing these apps is doubly irresponsible. The stalkerware customers whitethorn beryllium breaking the law, abusing their partners by illegally spying connected them, and, connected apical of that, putting everyone’s information successful danger. 

A history of stalkerware hacks

The flurry of stalkerware breaches began successful 2017 erstwhile a group of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy backmost to back. Those 2 hacks revealed that the companies had a full number of 130,000 customers each complete the world. 

At the time, the hackers who — proudly — claimed work for the compromises explicitly said their motivations were to expose and hopefully thief destruct an manufacture that they see toxic and unethical. 

“I’m going to pain them to the ground, and time off perfectly obscurity for immoderate of them to hide,” 1 of the hackers progressive past told Motherboard.  

Referring to FlexiSpy, the hacker added: “I dream they’ll autumn isolated and neglect arsenic a company, and person immoderate clip to bespeak connected what they did. However, I fearfulness they mightiness effort and springiness commencement to themselves again successful a caller form. But if they do, I’ll beryllium there.” 

Despite the hack, and years of antagonistic nationalist attention, FlexiSpy is still progressive today. The aforesaid cannot beryllium said about Retina-X. 

The hacker who collapsed into Retina-X wiped its servers pinch the extremity of hampering its operations. The institution bounced backmost — and past it sewage hacked again a twelvemonth later. A mates of weeks aft the 2nd breach, Retina-X announced that it was shutting down.  

Just days aft the 2nd Retina-X breach, hackers deed Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, arsenic good arsenic victims’ intercepted messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman, encountered the aforesaid destiny a fewer months later, pinch hackers stealing matter messages and telephone metadata, which contained logs of who called who and when.  

Weeks later, location was the first lawsuit of accidental information exposure, alternatively than a hack.  

SpyFone near an Amazon-hosted S3 retention bucket unprotected online, which meant anyone could position and download matter messages, photos, audio recordings, contacts, location data, scrambled passwords and login information, Facebook messages, and more. All that information was stolen from victims, about of whom did not cognize they were being spied on, fto unsocial cognize their about delicate individual information was besides connected the net for each to see.  

Apart from uMobix, different stalkerware companies that complete the years person irresponsibly near customer and victims’ information online include: FamilyOrbit, which near 281 gigabytes of individual information online protected only by an easy-to-find password; mSpy, which leaked complete 2 cardinal customer records successful 2018; Xnore, which let immoderate of its customers spot the individual information of different customers’ targets, including chat messages, GPS coordinates, emails, photos, and more; and MobiiSpy, which near 25,000 audio recordings and 95,000 images on a server accessible to anyone. 

The database goes on: KidsGuard successful 2020 had a misconfigured server that leaked victims’ content; pcTattletale, which anterior to its 2024 hack besides exposed screenshots of victims’ devices uploaded successful real-time to a website that anyone could access; and Xnspy, whose developers left credentials and backstage keys near successful the apps’ code, allowing anyone to entree victims’ data; Spyzie, Cocospy and Spyic, which near victims’ messages, photos, telephone logs, and different individual data, arsenic good arsenic customers’ email addresses, exposed online; and Catwatchful, which exposed the afloat database of email addresses and plaintext passwords of customers. 

As acold arsenic different stalkerware companies that really sewage hacked, isolated from SpyX earlier successful 2025, location was Copy9, which saw a hacker bargain the information of each its surveillance targets, including matter messages and WhatsApp messages, telephone recordings, photos, contacts, and brows history; LetMeSpy, which unopen down aft hackers breached and wiped its servers; and the Brazil-based WebDetetive, which besides sewage its servers deleted, and then hacked again.

There was besides OwnSpy, which provides overmuch of the back-end package for WebDetetive, which was hacked; Spyhide, which had a vulnerability successful its codification that allowed a hacker to entree the back-end databases and years of stolen about 60,000 victims’ data; Oospy, which was a rebrand of Spyhide, unopen down for a 2nd tim; and mSpy again.Finally location is TheTruthSpy, a network of stalkerware apps, which holds the dubious grounds of having been hacked aliases having leaked information connected astatine slightest three separate occasions. 

Hacked, but unrepented

Of these 27 stalkerware companies, 8 person unopen down, according to TechCrunch’s tally.  

In a first and truthful acold unsocial case, the Federal Trade Commission banned SpyFone and its main executive, Scott Zuckerman, from operating successful the surveillance manufacture pursuing an earlier information lapse that exposed victims’ data. Another linked cognition called SpyTrac shut down pursuing a TechCrunch investigation. Last year, the FTC upheld its ban connected Zuckerman. 

PhoneSpector and Highster, 2 stalkerware apps that are not known to person been hacked, also unopen down aft New York’s lawyer wide accused the companies of explicitly encouraging customers to usage their package for forbidden surveillance.  

But a institution closing doesn’t mean it’s gone forever. As pinch Spyhide and SpyFone, immoderate of the aforesaid owners and developers down a shuttered stalkerware shaper simply rebranded.  

“I do deliberation that these hacks do things. They do execute things, they do put a dent successful it,” Galperin said. “But if you deliberation that if you hack a stalkerware company, that they will simply shingle their fists, curse your name, vanish successful a puff of bluish fume and ne'er beryllium seen again, that has about decidedly not been the case.” 

“What happens about often, erstwhile you really negociate to termination a stalkerware company, is that the stalkerware institution comes up for illustration mushrooms aft the rain,” Galperin added. 

There is immoderate bully news. In a study successful 2023, information patient Malwarebytes said that the usage of stalkerware is declining, according to its ain information of customers infected pinch this type of software. Also, Galperin reports seeing an summation successful antagonistic reviews of these apps, pinch customers aliases prospective customers complaining they don’t activity arsenic intended. 

But, Galperin said that it’s imaginable that information firms are not arsenic bully astatine detecting stalkerware arsenic they utilized to be, aliases stalkers person moved from software-based surveillance to beingness surveillance enabled by AirTags and different Bluetooth-enabled trackers. 

“Stalkerware does not beryllium successful a vacuum. Stalkerware is portion of a full world of tech-enabled abuse,” Galperin said.

Say nary to stalkerware

Using spyware to show your loved ones is not only unethical, it’s besides forbidden successful about jurisdictions, arsenic it’s considered unlawful surveillance.  

That is already a important logic not to usage stalkerware. Then location is the rumor that stalkerware makers person proven clip and clip again that they cannot support information unafraid — neither information belonging to the customers nor their victims aliases targets. 

Apart from spying connected romanticist partners and spouses, immoderate group usage stalkerware apps to show their children. While this type of use, astatine slightest successful the United States, is legal, it doesn’t mean utilizing stalkerware to snoop connected your kids’ telephone isn’t creepy and unethical.  

Even if it’s utilized successful a lawful way, Galperin thinks parents should not spy connected their children without telling them, and without their consent. 

If parents do pass their children and get their go-ahead, parents should enactment distant from insecure and untrustworthy stalkerware apps, and usage parental search devices built into Apple phones and tablets and Android devices that are safer and run overtly.  

Recap of breaches and leaks

Here’s the complete database of stalkerware companies that person been hacked aliases person leaked delicate information since 2017, successful chronological order:

• Retina-X (2017, 2018)
• FlexiSpy (2017)
• Mobistealth (2018)
• Spy Master Pro (2018)
• SpyHuman (2018)
• SpyFone (2018)
• Family Orbit (2018)
• mSpy (2018, 2024)
• Xnore (2018)
• Copy9 (2018)
• MobiiSpy (2019)
• KidsGuard (2020)
• pcTattletale (2021, 2024)
• Xnspy (2022, 2026) 
• Spyhide (2023)
• TheTruthSpy (2018, 2022, 2023, 2024)
• LetMeSpy (2023)
• WebDetetive (2023, 2024)
• OwnSpy (2023)
• Oospy (2023)
• Spytech (2024)
• Cocospy (2025)
• Spyic (2025)
• Spyzie (2025)
• SpyX (2025)
• Catwatchful (2025)
• uMobix (2026)

First published connected July 16, 2024 and updated to see uMobix arsenic the latest stalkerware apps to person a information issue.

If you aliases personification you cognize needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of home maltreatment and violence. If you are successful an emergency situation, telephone 911. The Coalition Against Stalkerware has resources if you deliberation your telephone has been compromised by spyware.