The market for monitoring and spying on family members has given rise to a shady industry, with multiple app makers creating software, often referred to as stalkerware, that allows jealous partners to remotely access their victims’ phones. This sensitive data, however, is frequently compromised by these companies, which have lost significant amounts of it.
According to TechCrunch’s count, at least 25 stalkerware companies have been hacked or have leaked customer and victim data online since 2017. This number is not a typo; at least 25 stalkerware companies have experienced significant data breaches or exposures in recent years, with four of them being hacked multiple times.
The latest stalkerware provider to be breached is SpyX, which compromised the private phone data of nearly two million victims at the time of the breach. This breach occurred in mid-2024, although it was only recently reported. The SpyX breach follows the data exposures of Spyzie, Cocospy, and Spyic, whose surveillance operations exposed messages, photos, call logs, and other sensitive data of millions of victims online.
Prior to this year, there were at least four significant stalkerware hacks in 2024. The last stalkerware breach in 2024 affected Spytech, a little-known spyware maker based in Minnesota, which exposed activity logs from the phones, tablets, and computers monitored with its spyware. Before that, there was a breach at mSpy, one of the longest-running stalkerware apps, which exposed millions of customer support tickets, including the personal data of millions of its customers.
Earlier, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale, stealing and leaking the company’s internal data and defacing its official website. The hacker referred to a recent TechCrunch article where we reported pcTattletale was used to monitor several front desk check-in computers at a U.S. hotel chain.
As a result of this hack, leak, and shame operation, pcTattletale founder Bryan Fleming said he was shutting down his company.
Consumer spyware apps like SpyX, Cocospy, mSpy, and pcTattletale are commonly referred to as “stalkerware” (or spouseware) because they are used by jealous spouses and partners to surreptitiously monitor and surveil their loved ones. These companies often explicitly market their products as solutions to catch cheating partners by encouraging illegal and unethical behavior.
There have been multiple court cases, journalistic investigations, and surveys of domestic abuse shelters that show online stalking and monitoring can lead to cases of real-world harm and violence. This is why hackers have repeatedly targeted some of these companies.
Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has investigated and fought stalkerware for years, said the stalkerware industry is a “soft target.”
“The people who run these companies are perhaps not the most scrupulous or really concerned about the quality of their product,” Galperin told TechCrunch.
Given the history of stalkerware compromises, that may be an understatement. The stalkerware customers may be breaking the law, abusing their partners by illegally spying on them, and, on top of that, putting everyone’s data in danger.
A history of stalkerware hacks
The flurry of stalkerware breaches began in 2017 when a group of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy back to back. Those two hacks revealed that the companies had a total number of 130,000 customers all over the world.
At the time, the hackers who claimed responsibility for the compromises explicitly said their motivations were to expose and hopefully help destroy an industry that they consider toxic and unethical.
“I’m going to burn them to the ground, and leave absolutely nowhere for any of them to hide,” one of the hackers involved then told Motherboard.
Referring to FlexiSpy, the hacker added: “I hope they’ll fall apart and fail as a company, and have some time to reflect on what they did. However, I fear they might try and give birth to themselves again in a new form. But if they do, I’ll be there.”
Despite the hack, and years of negative public attention, FlexiSpy is still active today. The same cannot be said about Retina-X.
The hacker who broke into Retina-X wiped its servers with the goal of hampering its operations. The company bounced back — and then it got hacked again a year later. A couple of weeks after the second breach, Retina-X announced that it was shutting down.
Just days after the second Retina-X breach, hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, as well as victims’ intercepted messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman, encountered the same fate a few months later, with hackers stealing text messages and call metadata, which contained logs of who called who and when.
Weeks later, there was the first case of accidental data exposure, rather than a hack. SpyFone left an Amazon-hosted S3 storage bucket unprotected online, which meant anyone could see and download text messages, photos, audio recordings, contacts, location, scrambled passwords and login information, Facebook messages and more. All that data was stolen from victims, most of whom did not know they were being spied on, let alone know their most sensitive personal data was also on the internet for all to see.
Other stalkerware companies that over the years have irresponsibly left customer and victims’ data online are FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easy-to-find password; mSpy, which leaked over 2 million customer records in 2018; Xnore, which Source Link
