Hack, leak, expose: Why you should never use stalkerware apps

There is a whole shady industry of people who want to monitor and spy on their families. Many app makers promote and advertise their software – often referred to as stalkerware – to jealous partners who can use these apps to access their victims’ phones remotely.

However, despite how sensitive this personal data is, a growing number of these companies are losing huge amounts of it.

According to ongoing TechCrunch statistics, including the most recent uMobix-related data leak, there have been at least 27 stalkerware companies since 2017 that are known to have been hacked or leaked customer and victim data online.

This is not a typo. Dozens of stalkerware companies have been hacked or had significant data exposure in recent years. At least four stalkerware companies have been hacked multiple times.

The makers of uMobix and related mobile tracking apps, such as Geofinder and Peekviewer, are the latest stalkerware providers to expose sensitive customer data, after a hacktivist collected the payment information of more than 500,000 customers and posted it online. Hacktivists said they did so as a way to go after stalkerware applications, following in the footsteps of two groups of hacktivists who broke into Retina-X and FlexiSpy nearly a decade ago.

The uMobix data leak follows the Catwatchful hack last year, which was used to compromise the phone data of at least 26,000 victims. Catwatchful was just one of several stalkerware incidents in 2025, which included SpyX, and the data disclosures of surveillance operations Cocospy, Spyic, and Spyzie, which left messages, photos, call logs and other personal and sensitive data of millions of victims exposed online, according to a security researcher who found a bug that allowed them to access that data.

Before 2025, there were at least four massive stalkerware breaches in 2024.

The last stalkerware breach in 2024 affected Spytech, a little-known spyware maker based in Minnesota, which exposed activity logs from phones, tablets and computers being monitored with its spyware. Before that, there was a hack of mSpy, one of the oldest stalkerware apps, which exposed millions of customer support tickets, which included the personal data of millions of its customers.

Previously, an unknown hacker broke into the servers of US-based stalkerware manufacturer pcTattletale. The hacker then stole and leaked the company’s internal data. They also defaced pcTattletale’s official website with the aim of embarrassing the company. The hacker pointed to a recent TechCrunch article where we reported on pcTattletale being used to monitor several check-in computers at the front desk of a US hotel chain.

As a result of this hack, leak and disgrace, pcTattletale founder Brian Fleming said he was shutting down his company. Earlier this year, Fleming pleaded guilty to charges of computer hacking, selling and advertising surveillance software for illegal uses, and conspiracy.

Consumer spyware apps like uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are commonly referred to as “stalkerware” (or spouse software) because jealous spouses and partners use them to surreptitiously monitor their loved ones.

These companies often market their products explicitly as solutions to catch cheating partners by encouraging illegal and unethical behavior. There have been numerous lawsuits, media investigations, and surveys of domestic violence shelters that have shown that online stalking and monitoring can lead to real-world harm and violence.

This is partly why hackers frequently target some of these companies.

The stalkerware industry is an “easy target,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has investigated and combated stalkerware for years.

“The people running these companies are probably not the most meticulous or really care about the quality of their products,” Galperin told TechCrunch.

Given the history of stalkerware hacks, this may be an understatement. And due to a lack of concern for protecting their customers – and thus the personal data of tens of thousands of unwitting victims – using these apps is doubly irresponsible. Stalker software agents may be violating the law, abusing their partners by illegally spying on them, and, moreover, putting everyone’s data at risk.

History of hacking stalkerware

The wave of stalkerware hacks began in 2017 when a group of hackers compromised US-based Retina-X and Thailand-based FlexiSpy. These two hacks revealed that the two companies had a total number of 130,000 customers worldwide.

At the time, the hackers who proudly claimed responsibility for the compromises said their motives were to expose and help destroy an industry they considered toxic and unethical.

“I’m going to burn them to the ground, leaving absolutely no place for any of them to hide,” one of the hackers involved told Motherboard.

Referring to FlexiSpy, the hacker added: “I hope that they collapse and fail as a company, and that they have some time to think about what they did. However, I fear that they may try to birth themselves again in a new form. But if they do, I will be there.”

Despite the hack and years of negative public attention, FlexiSpy is still active today. The same can’t be said for the Retina-X.

The hacker who broke into the Retina-X system wiped its servers with the aim of crippling its operations. The company bounced back, only to be hacked again a year later. Two weeks after the second hack, Retina-X announced that it would close its doors.

Just days after the second Retina-X hack, hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of customer and company records, as well as victims’ intercepted messages and precise GPS locations. Another stalkerware vendor, India-based SpyHuman, faced the same fate a few months later, with hackers stealing text messages and call metadata, which contain records of who called whom and when.

Weeks later, there was the first case of an accidental data exposure, not a hack.

SpyFone has left an Amazon-hosted S3 storage bucket unprotected online, meaning anyone can view and download text messages, photos, audio recordings, contacts, location data, encrypted passwords, login information, Facebook messages, and more. All this data was stolen from the victims, most of whom had no idea they were being spied on, let alone knowing that their most sensitive personal data was also out there on the internet for everyone to see.

Aside from uMobix, other stalkerware companies that over the years have irresponsibly left customers and victims’ data online include: FamilyOrbit, which left 281GB of personal online data protected only with an easy-to-find password; mSpy, which leaked more than 2 million customer records in 2018; Xnore, which allows any of its customers to see personal data of other customers’ targets, including chat messages, GPS coordinates, emails, photos, and more; and MobiiSpy, which left 25,000 audio recordings and 95,000 photos on a server that anyone could access.

The list goes on: KidsGuard in 2020 had a misconfigured server that leaked victims’ content; pcTattletale, which before its 2024 hack also revealed screenshots of victims’ devices uploaded in real time to a website that anyone could access; Xnspy, whose developers left credentials and private keys in the apps’ code, allowing anyone to access victims’ data; Spyzie, Cocospy, and Spyic, which left victims’ messages, photos, call logs and other personal data, as well as customers’ email addresses, exposed online; and Catwatchful, which exposed the entire database of customers’ plain-text email addresses and passwords.

As for the other stalkerware companies that have already been hacked, apart from SpyX earlier in 2025, there was Copy9, which saw a hacker steal the data of all its surveillance targets, including text messages, WhatsApp messages, call recordings, photos, contacts, and browser history; LetMeSpy, which was shut down after hackers compromised and wiped its servers; and Brazil-based WebDetetive, which also had its servers deleted and then hacked again.

There was also OwnSpy, which provides much of WebDetetive’s backend software, which was hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to access back-end databases and years of stealing about 60,000 victims’ data; Oospy, which was a rebrand of Spyhide, has closed for the second time; And mSpy again. Finally there’s TheTruthSpy, a network of stalkerware apps, which has a questionable record of being hacked or having data leaked on at least three separate occasions.

Shattered, but unrepentant

Of the 27 stalkerware companies, eight have closed, according to TechCrunch’s tally.

In the first and so far unique case, the Federal Trade Commission has banned SpyFone and its CEO, Scott Zuckerman, from operating in the surveillance industry after a previous security flaw exposed victims’ data. Another linked operation called SpyTrac was shut down after a TechCrunch investigation. Last year, the Federal Trade Commission upheld its ban on Zuckerman.

PhoneSpector and Highster, two stalkerware apps not known to have been hacked, have been shut down after New York’s attorney general accused the companies of explicitly encouraging customers to use their software for illegal surveillance.

But closing the company doesn’t mean it’s gone forever. As with Spyhide and SpyFone, some of the same owners and developers behind the closed stalkerware maker have rebranded.

“I think these hackers are doing things. They’re getting things done, and they’re putting an end to it,” Galperin said. “But if you think that if you hack into a stalkerware company, they will simply shake their fists, curse your name, and disappear in a puff of blue smoke never to be seen again, then that is certainly not the case.”

“What often happens, when you can actually take down a stalkerware company, is that the stalkerware company appears like mushrooms after the rain,” Galperin added.

There is some good news. In a 2023 report, the security company Malwarebytes said that the use of stalkerware is declining, according to its data on customers infected with this type of software. Also, Galperin reports an increase in negative reviews of these apps, where customers or potential customers complain that they don’t work as intended.

But, Galperin said, it’s possible that security companies are no longer as good at detecting stalkerware as they once were, or that stalkers have moved from software-based monitoring to the physical monitoring enabled by AirTags and other Bluetooth-enabled trackers.

“Stalkerware does not exist in a vacuum,” Galperin said. “Stalkerware is part of a whole world of technology abuse.”

Say no to stalkerware

Using spyware to monitor your loved ones is not only unethical, it is also illegal in most jurisdictions, where it is considered illegal surveillance.

This is actually an important reason not to use stalkerware. Then there’s the problem that stalkerware makers have proven time and time again that they can’t keep data safe — neither that of their clients, nor that of their victims or targets.

Apart from spying on romantic partners and spouses, some people use stalkerware apps to monitor their children. Although this type of use, at least in the United States, is legal, that doesn’t mean that using stalkerware to snoop on your kids’ phones isn’t scary and unethical.

Even if used legally, Galperin believes parents should not spy on their children without telling them, and without their consent.

If parents inform their children and get the green light, parents should stay away from unsafe and untrustworthy stalkerware apps, and use parental tracking tools built into Apple’s phones, tablets, and more secure, openly operating Android devices.

Summary of violations and leaks

Here is the complete list of stalkerware companies that have been hacked or leaked sensitive data since 2017, in chronological order:

It was first published on July 16, 2024 and has been updated to include uMobix as the latest stalkerware app to have a security issue.