Last week, unknown hackers broke into the servers of US-based stalkerware maker pcTattletale, after which they stole and leaked the company's internal data, and also defaced pcTattletale's official website in an attempt to embarrass the company.
“This took a total of 15 minutes to complete after reading the TechCrunch article,” the hackers wrote in the defacement, referring to a recent TechCrunch article that reported that pcTattletale was being used to monitor several front desk check-in computers at Wyndham hotels across the United States.
As a result of this hack, leak, and humiliation campaign, pcTattletale founder Brian Fleming announced he was closing his company down.
Consumer spyware apps like pcTattletale are commonly referred to as stalkerware because they are used by jealous spouses and partners to secretly spy on and monitor their loved ones. These companies often explicitly market their products as a solution to catching cheating partners by encouraging illegal and unethical behavior. And there are multiple court cases, journalistic studies, and domestic violence shelter studies that show online stalking and surveillance can lead to harm and violence in the real world.
That's why hackers have repeatedly targeted some of these companies.
This latest hack makes pcTattletale the 20th stalkerware company known to have been hacked or have had customer or victim data leaked online since 2017, according to a TechCrunch tally. That's not a typo: 20 stalkerware companies have been hacked or suffered significant data leaks in recent years, and three stalkerware companies have been hacked multiple times.
Eva Galarpin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has long fought stalkerware research, called the stalkerware industry a “soft target.” “The people who run these companies are probably not very careful about the quality of their products and they don't really care,” Galarpin told TechCrunch.
Given the history of stalkerware breaches, that may be an understatement. And the lack of concern for protecting the personal data of their own customers, and consequently tens of thousands of unwitting victims, makes using these apps doubly irresponsible. Stalkerware customers are breaking the law, potentially abusing their partners by illegally spying on them, and further compromising everyone's data.
History of stalkerware hacking
The surge in stalkerware breaches began in 2017 when hackers breached US-based Retina-X and Thailand-based FlexiSpy in quick succession. The two hacks revealed that the two companies had a combined total of 130,000 customers around the world.
At the time, the hackers proudly admitted responsibility for the intrusion and made clear that their motivation was to expose and hopefully destroy an industry they viewed as harmful and unethical.
“We're going to burn them down and leave no place for anyone to hide,” one of the hackers involved told Motherboard.
Regarding FlexiSpy, the hacker added: “I hope they collapse and fail as a company and have time to reflect on what they've done, but I am worried they'll try to reinvent themselves in a new form. But if that happens, I'll be there.”
Despite the hack and years of negative public attention, FlexiSpy is still active. The same cannot be said for Retina-X.
Hackers who broke into Retina-X wiped its servers in an attempt to disrupt the company's operations. The company recovered, but was hacked again a year later. A few weeks after the second intrusion, Retina-X announced it was shutting down.
Just days after the second Retina-X breach, hackers attacked Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, victims' intercepted messages, and precise GPS locations. Another stalkerware vendor, India-based SpyHuman, suffered the same fate a few months later, with hackers stealing text messages and call metadata, including logs of who called who and when.
A few weeks later, we had the first case of an accidental data leak, rather than a hack: SpyFone left an Amazon-hosted S3 storage bucket online, unsecured, allowing anyone to view and download text messages, photos, voice recordings, contacts, location information, encrypted passwords and logins, Facebook messages, and more. All of that data was stolen from victims, most of whom had no idea they were being spied on, much less that their most sensitive personal data was exposed on the internet.
Other stalkerware companies that have irresponsibly left customer and victim data online over the years include FamilyOrbit, which left 281GB of personal data online protected only by an easily found password; mSpy, which leaked over 2 million customer records; Xnore, which allowed customers to see any other customer's targets' personal data including chat messages, GPS coordinates, emails and photos; Mobiispy, which left 25,000 voice recordings and 95,000 images on a publicly accessible server; KidsGuard, which had a server misconfiguration that exposed victims' content; pcTattletale, which uploaded screenshots of victims' devices in real time before they were hacked to a publicly accessible website; and Xnspy, where the developers left credentials and private keys in the app's code, allowing anyone to access victims' data.
Other stalkerware companies that have actually been hacked include Copy9, where hackers stole all of the data of those they were monitoring (including text and WhatsApp messages, call logs, photos, contacts, browsing history, etc.); LetMeSpy, which was shut down after hackers broke into its servers and wiped the data; Brazilian company WebDetetive, which was also hacked again after its servers were wiped; OwnSpy, which provides much of WebDetetive's backend software, was also hacked; Spyhide, which had a vulnerability in its code that allowed hackers to access its backend database and steal the data of around 60,000 victims over the course of years; and Oospy, a rebranding of Spyhide, which has been shut down for a second time.
Finally, there's TheTruthSpy, a network of stalkerware apps that has a dubious record of being hacked or having data leaked at least three times.
Hacked but not sorry
Of those 20 stalkerware companies, eight have now shut down, according to a TechCrunch tally.
In a first-of-its-kind and unique case, the Federal Trade Commission banned SpyFone and its CEO Scott Zuckerman from operating in the surveillance industry following previous security flaws that exposed victims' data. Another stalkerware business linked to Zuckerman, SpyTrac, was subsequently shut down following an investigation by TechCrunch.
Two other companies not known to have been hacked, PhoneSpector and Highster, were also shut down after the New York Attorney General accused the companies of explicitly encouraging customers to use their software for illegal surveillance.
But just because a company has closed down doesn't mean it's gone forever. As with Spyhide and SpyFone, some of the owners and developers of closed stalkerware makers have simply rebranded.
“I think these hacks are effective, they're certainly successful, they're certainly having an impact,” Galperin said, “but if you think that if you hack a stalkerware company, they're just going to pump their fists, curse your name, and disappear in a puff of blue smoke, never to be seen again, that's definitely not the case.”
“The most common thing that happens when you actually take down a stalkerware company is that more and more of them pop up like bamboo shoots after a rain,” Galperin added.
There's some good news: In a report last year, security firm Malwarebytes said stalkerware use is declining, according to its own data on customers infected with this type of software. Galperin also reported that negative reviews of these apps are on the rise, with customers and potential customers complaining that the apps don't work as intended.
But Galperin said it's possible that security companies aren't as good at detecting stalkerware as they once were, or that stalkers are moving from software-based surveillance to physical monitoring with air tags and other Bluetooth-enabled trackers.
“Stalkerware doesn't exist in a vacuum. It's part of the world of technology-enabled abuse,” Galperin said.
Say no to stalkerware
Using spyware to monitor your loved ones is not only unethical, but it is also illegal in most jurisdictions as it is considered illegal surveillance.
This is already a great reason not to use stalkerware, but there's also the issue that stalkerware makers have proven time and time again that they can't keep data belonging to their customers, victims or targets safe either.
Aside from spying on lovers or spouses, some people also use stalkerware apps to monitor their children. At least in the United States, this kind of use is legal, but that doesn't mean that using stalkerware to spy on your child's phone isn't creepy and unethical.
Galperin believes that even if it were legal, parents shouldn't spy on their children without their knowledge and consent.
If parents have informed their children and have given them permission, they should avoid unsafe and untrustworthy stalkerware apps and use the safer, more openly operating parental tracking tools built into Apple phones and tablets, as well as Android devices.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) offers free, confidential support to victims of domestic abuse and violence 24/7. In an emergency, call 911. If you believe your phone has been compromised by spyware, the Coalition Against Stalkerware has resources.