There is a shady industry for those who want to monitor and spy on their families. Several app makers advertise and promote their software to jealous partners who can use these apps to remotely access victims' phones.
But despite how sensitive this personal data is, the growing number of these companies is lost in large numbers.
According to TechCrunch's Tally, counting Catwatchful's latest data exposures, there have been at least 26 Stalkerware companies since 2017 that have been known to have been hacked or leaked customer and victim data online. That's not a typo. At least 26 Stalkerware companies have either been hacked or have been exposing important data in recent years. Additionally, four stalkerwear companies have been hacked multiple times.
Catwatchful is the latest Stalkerware provider reportedly violated this year, and the user data bank dates back to 2018. The violation reveals that it breached private telephone data of around 26,000 victims at the time the data was leaked.
The CatWatchful Data Leak comes after this year's SPYX data breaches and data exposures of millions of other victims who publish messages, photos, call logs, and other personal and sensitive data from millions of victims online.
Before this year, there were at least four major stalker wear hacks in 2024. The last stalkerware violation of 2024 affected SpyTech, a little-known spyware manufacturer based in Minnesota. Previously, there was a violation of MSPY, one of the longest-running stalkerware apps that publish millions of customer support tickets, including personal data from millions of customers.
Previously, an unknown hacker broke into the servers of US-based Stalkerware Maker Pctattletale. The hackers then stole and leaked internal company data. They also tainted the official Pctattletlea website with the goal of embarrassing the company. The hackers referenced a recent TechCrunch article. There, they reported that Pctattletale was used to monitor several front desk check-in computers in a US hotel chain.
As a result of this hack, leak and shame manipulation, PcTattleleale founder Bryan Fleming said he was closing his company.
Consumer spyware apps such as Catwatchful, Spyx, Cocospy, Mspy, and Pctattletale are commonly referred to as “stalkerware” (or spouse).
These companies often explicitly sell their products as a solution to catch fraud partners by encouraging illegal and unethical behavior. There have been multiple trials, media investigations and domestic abuse shelters investigations that show that online stalking and surveillance can lead to actual cases of harm and violence.
That's part of why hackers are repeatedly targeting some of these companies.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has been researching and fighting Stalkerware for many years, said the Stalkerware industry is a “soft target.”
“The people who run these companies are probably the most cautious, but not really worried about the quality of their products,” Galperin told TechCrunch.
Given Stalkerware's history of compromise, that might be an understatement. And using these apps means that there is a lack of care to protect your customers, and as a result, the personal data of tens of thousands of unconscious victims is double irresponsible. Stalkerware customers are violating their partners by breaking the law and illegally spying on them, and putting everyone's data at risk.
The history of stalker wear hacks
The gust of stalkerware violations began in 2017 when a group of hackers violated US-based Retina-X and Thailand-based Flexispy. These two hacks revealed that the company has a total of 130,000 customers worldwide.
At the time, proudly arguing for the responsibility of compromise, the hackers explicitly stated that their motivations were exposed and helped them destroy industries they deemed toxic and unethical.
“I burn them on the ground and never leave any of them to hide,” one of the hackers involved told Motherboard.
Referring to Flexispy, the hacker added: “I hope they'll fall apart and fail as a company and have time to look back on what they've done, but I'm worried that they'll try to give birth to themselves again in a new way.
Despite Hack and years of negative public attention, Flexispy is still active today. The same cannot be said about Retina-X.
Hackers who infiltrated Retina-X wiped the server with the goal of blocking its operation. The company bounced back – and was hacked again a year later. A few weeks after the second violation, Retina-X announced it was closed.
A few days after the second Retina-X breach, the hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of customers and business records, stealing victims' intercepted messages and exact GPS locations. Another stalkerware vendor, India-based spy human, encountered the same fate a few months later, with the hacker stealing text messages and calling out metadata.
A few weeks later, there was the first case of accidental data exposure rather than hack.
Spyfone left an Amazon Hosted S3 storage bucket online that is unprotected. This means that everyone could view and download text messages, photos, audio recordings, contacts, location data, scramble passwords, login information, Facebook messages, and more. All of that data was stolen from the victims, but most of them didn't know they were being spyed on. Their most sensitive personal data can't be made known that they are on the internet for everyone to see.
Apart from CatWatchful, other Stalkerware companies that have been irresponsible online for years to leave customer and victim data irresponsible online include: Familyorbit is protected only by an online password that protects 281 gigabytes of personal data. MSPY leaked more than 2 million customer records in 2018. Xnore allows customers to see personal data of other customer's goals, such as chat messages, GPS coordinates, emails, photos, and more. Mobiispy left 25,000 audio recordings and 95,000 images on a server that anyone can access. The list is as follows: KidsGuard in 2020 had an incorrect server that leaked victim content. Before the hack, Pctattletale published a screenshot of the victim's device and uploaded it to a website that anyone can access. Xnspy has left developers with remaining qualifications and private keys in their app's code, allowing anyone to access the victim's data. Spyzie, Cocospy and Spyic have kept victim messages, photos, call logs, other personal data, and customer email addresses publicly online.
Regarding other Stalkerware companies that were actually hacked, there was Copy9 earlier this year, except for Spyx. This included text messages and WhatsApp messages, call recordings, photos, contacts, brow history, and more, which hackers stole all data from their surveillance targets. LetMespy shut down after a hacker wiped it violated the server. Brazil-based Webdetetive has removed the server and then hacked it again. OwnSpy, which provides a lot of Webdetive's backend software, has also been hacked. Spyhide has a code vulnerability that allowed hackers to access backend databases and access data from around 60,000 victims over the years. Sospy, a brand of Spyhide brand, has shut down once more. And the latest MSPY hacks are unrelated to previous leaks.
Finally, there is Thetruthspy, a network of stalkerware apps. This holds a suspicious record of hacking or data leaking at least three separate occasions.
Hacked, but not repented
Eight of these 26 Stalkerware Companies have been closed, according to a TechCrunch tally.
In the first unique case, the Federal Trade Commission banned activities in the surveillance industry following a previous security course in which Spyfone and its CEO Scott Zuckerman exposed victim data. Another stalkerware operation linked to Zuckerman, called Spytrac, was subsequently shut down following a TechCrunch investigation.
Two other companies not known to have been hacked, the Telephone Officer and Histar, have also shut down after New York Attorney General accused the New York Attorney General of explicitly encouraging customers to use the software for illegal surveillance.
But the fact that the company has been closed doesn't mean it's gone forever. Like Spyhide and Spyfone, some of the same owners and developers behind closed stalkerware makers have simply been rebranded.
“I think these hacks do things. They accomplish things and put a dent in it,” Galperin said. “But if you hack the stalkerwear company, they simply swing their fists, curse your name, disappear with a puff of blue smoke and you're going to never see it again, that's definitely not.”
“Most of the time, when you can actually kill a Stalkerware Company, the Stalkerware Company appears like a mushroom after the rain,” added Galperin.
There is some good news. In a report last year, security company MalwareBytes said its use of Stalkerware is declining, according to its own data from customers infected with this type of software. Galperin also reports that customers and prospects complain that they don't work as intended, seeing an increase in negative reviews for these apps.
However, Galperin said security companies may not be as good at detecting stalkerware as they used to, or that stalkers may have moved from software-based surveillance to physical surveillance that can be done by air tags and other Bluetooth-enabled trackers.
“Stalkerwear doesn't exist in the vacuum. Stalkerwear is part of a world of tech-responsive abuse,” Galperin said.
Say no to stalker wear
Using spyware to monitor your loved ones is not only unethical, but is also considered illegal surveillance in most jurisdictions.
That's an important reason why you don't already use Stalkerware. There have been issues that have proven many times that Stalkerware manufacturers cannot keep their data safe. Data belonging to the customer does not belong to the victim or target either.
Apart from spying on romantic partners and spouses, some people use stalkerwear apps to monitor their children. Although this type of use is legal, at least in the US, using Snoop on a child's phone using Stalkerware does not mean it's creepy and unethical.
Even if it is legally used, Galperin believes that parents should not spy on their children without telling them and agreeing to them.
If parents notify their children and move on, they should move away from unstable and unreliable stalkerware apps and use parent tracking tools built into Apple's phones, tablets and Android devices that work more secure and obviously.
Summary of violations and leaks
This is the complete list of Stalkerware companies that have been hacked or leaked sensitive data since 2017.
It was first published on July 16, 2024 and updated to include Catwatchful as the latest Stalkerware app with security issues.
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) provides secret support to victims of domestic abuse and violence 24/7. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.