There are several shady industries for people who want to monitor or spy on their family members, with app makers selling software, also known as stalkerware, to jealous partners that can remotely access the victim's phone.
However, despite how sensitive this data is, a growing number of businesses are losing huge amounts of it.
Including Spytech's latest hack, at least 21 stalkerware companies have been hacked or have had their customers or victims' data leaked online since 2017, according to a TechCrunch tally. That's not a typo: At least 21 stalkerware companies have been hacked or suffered significant data leaks in recent years, and four stalkerware companies have been hacked multiple times.
At least four major stalkerware hacks have occurred in 2024 alone. The most recent breach affected Spytech, a little-known Minnesota-based spyware manufacturer, which leaked activity logs from phones, tablets, and computers monitored by the spyware. Prior to that, mSpy, one of the longest-running stalkerware apps, suffered a breach that exposed millions of customer support tickets, including the personal data of millions of customers.
Previously, unknown hackers broke into the servers of US-based stalkerware maker pcTattletale. The hackers then stole and leaked the company's internal data. They also defaced pcTattletale's official website in an attempt to embarrass the company. The hackers were referring to a recent TechCrunch article that reported that pcTattletale was being used to monitor several front desk check-in computers at a US hotel chain.
As a result of this hack, leak, and humiliation campaign, pcTattletale founder Brian Fleming announced that he was closing his company down.
Consumer spyware apps such as mSpy and pcTattletale are commonly referred to as “stalkerware” (or spouseware) because they are used by jealous spouses or partners to secretly spy on and monitor their loved ones. These companies often explicitly market their products as a solution to catching cheating partners by encouraging illegal and unethical behavior. And there are multiple court cases, journalistic studies, and domestic violence shelter studies that show online stalking and surveillance can lead to real-world harm and violence.
That's why hackers have repeatedly targeted some of these companies.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has worked for years on studying and combating stalkerware, called the stalkerware industry a “easy target.”
“The people who run these companies are probably not very careful or really care about the quality of their products,” Galperin told TechCrunch.
Given the history of stalkerware breaches, that may be an understatement. And with a lack of care towards protecting the personal data of their own customers, and as a result, tens of thousands of unwitting victims, using these apps is doubly irresponsible. Stalkerware customers are breaking the law, potentially abusing their partners by illegally spying on them, and further compromising everyone's data.
History of stalkerware hacking
The surge in stalkerware breaches began in 2017 when hackers breached US-based Retina-X and Thailand-based FlexiSpy in quick succession. The two hacks revealed that the two companies had a combined total of 130,000 customers around the world.
At the time, the hackers proudly admitted responsibility for the intrusion and made clear that their motivation was to expose and hopefully destroy an industry they viewed as harmful and unethical.
“We're going to burn them down and leave no place for anyone to hide,” one of the hackers involved told Motherboard.
Regarding FlexiSpy, the hacker added: “I hope they collapse and fail as a company and have time to reflect on what they've done, but I am worried they'll try to reinvent themselves in a new form. But if that happens, I'll be there.”
Despite the hack and years of negative public attention, FlexiSpy is still active. The same cannot be said for Retina-X.
Hackers who broke into Retina-X wiped its servers in an attempt to disrupt the company's operations. The company recovered, but was hacked again a year later. A few weeks after the second intrusion, Retina-X announced it was shutting down.
Just days after the second Retina-X breach, hackers attacked Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, victims' intercepted messages, and precise GPS locations. Another stalkerware vendor, India-based SpyHuman, suffered the same fate a few months later, with hackers stealing text messages and call metadata, including logs of who called who and when.
A few weeks later, we had the first case of an accidental data leak, rather than a hack: SpyFone left an Amazon-hosted S3 storage bucket online, unsecured, allowing anyone to view and download text messages, photos, voice recordings, contacts, location information, encrypted passwords and logins, Facebook messages, and more. All of that data was stolen from victims, most of whom had no idea they were being spied on, much less that their most sensitive personal data was exposed on the internet.
Other stalkerware companies that have irresponsibly left customer and victim data online over the years include FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easily found password; mSpy, which leaked over 2 million customer records in 2018; Xnore, which allowed customers to view the personal data of other customer targets, including chat messages, GPS coordinates, emails and photos; MobiiSpy, which left 25,000 voice recordings and 95,000 images on a publicly accessible server; KidsGuard, which had a faulty server configuration that leaked victim content; pcTattletale, which uploaded screenshots of victim devices in real time before they were hacked to a publicly accessible website; and Xnspy, whose developers left credentials and private keys in the app's code, allowing anyone to access victim data.
Other stalkerware companies that have actually been hacked include Copy9, where hackers stole all of the data of those they were monitoring (text and WhatsApp messages, call logs, photos, contacts, browser history, etc.); LetMeSpy, which was shut down after hackers broke in and wiped its servers; Brazilian company WebDetetive, which was hacked again after its servers were also wiped; OwnSpy, which provides much of WebDetetive's backend software, was also hacked; Spyhide, which allowed hackers to access its backend database and had code vulnerabilities that allowed data of around 60,000 victims stolen over the years; Oospy, a rebranding of Spyhide, has been shut down for a second time; and the most recent mSpy hack, which is unrelated to the aforementioned leaks.
Finally, there's TheTruthSpy, a network of stalkerware apps that has a dubious record of being hacked or having data leaked at least three times.
Hacked but not sorry
Of those 21 stalkerware companies, eight have now shut down, according to a TechCrunch tally.
In a first-of-its-kind and unique case, the Federal Trade Commission banned SpyFone and its CEO Scott Zuckerman from operating in the surveillance industry following previous security flaws that exposed victims' data. Another stalkerware business linked to Zuckerman, SpyTrac, was subsequently shut down following an investigation by TechCrunch.
Two other companies not known to have been hacked, PhoneSpector and Highster, were also shut down after the New York Attorney General accused the companies of explicitly encouraging customers to use their software for illegal surveillance.
But just because a company has closed down doesn't mean it's gone forever. As with Spyhide and SpyFone, some of the owners and developers of closed stalkerware makers have simply rebranded.
“I think these hacks are effective, they're certainly getting results, they're certainly making an impact,” Galperin said, “but if you think that if you hack a stalkerware company, they're just going to pump their fists, curse your name, and disappear in a puff of blue smoke, never to be seen again, that's definitely not the case.”
“The most common thing that happens when you actually take down a stalkerware company is that more and more of them pop up like bamboo shoots after a rain,” Galperin added.
There's some good news: In a report last year, security firm Malwarebytes said stalkerware use is declining, according to its own data on customers infected with this type of software. Galperin also reported that negative reviews of these apps are on the rise, with customers and potential customers complaining that the apps don't work as intended.
But Galperin said it's possible that security companies aren't as good at detecting stalkerware as they once were, or that stalkers are moving from software-based surveillance to physical monitoring with air tags and other Bluetooth-enabled trackers.
“Stalkerware doesn't exist in a vacuum. It's part of a whole world of technology-enabled abuse,” Galperin said.
Say no to stalkerware
Using spyware to monitor your loved ones is not only unethical, but it is also illegal in most jurisdictions as it is considered illegal surveillance.
This is already a big reason not to use stalkerware, but there's also the issue that stalkerware makers have proven time and time again that they can't keep data belonging to their customers, victims or targets safe either.
Aside from spying on lovers or spouses, some people also use stalkerware apps to monitor their children. At least in the United States, this kind of use is legal, but that doesn't mean that using stalkerware to spy on your child's phone isn't creepy and unethical.
Even if it were legal, Galperin doesn't think parents should spy on their children without their knowledge and consent.
If parents have informed their children and have given them permission, they should avoid unsafe and untrustworthy stalkerware apps and use the safer, more openly operating parental tracking tools built into Apple phones and tablets, as well as Android devices.
Breach and breach summary
Below is the complete list of stalkerware companies that have been hacked or had sensitive data leaked since 2017 (in chronological order):
It was updated on July 25th to include Spytech as the latest spyware to have been compromised.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) offers free, confidential support to victims of domestic abuse and violence 24/7. In an emergency, call 911. If you believe your phone has been compromised by spyware, the Coalition Against Stalkerware has resources.