There is a shady industry for those who want to monitor and spy on their families. Several app makers sell software (sometimes called stalkerware) to jealous partners who can use these apps to remotely access victims' phones.
But despite how sensitive this data is, the number of these companies is on the rise in massive decline.
According to TechCrunch's Tally, counting Spyzie's latest data leaks shortly after Cocospy and Spyic's data exposures, it has been known to have been hacked since 2017, or leaked data data from customers and victims online. That's not a typo. At least 24 Stalkerware companies have been hacked or exposed to important data in recent years. Additionally, four stalkerwear companies have been hacked multiple times.
Spyzie, Cocospy, and Spyic are the first stalkerware companies to accidentally reveal sensitive data in 2025. The two surveillance operations left messages, photos, call logs and other personal and sensitive data from millions of victims published online, according to security researchers who found a bug that allowed access to that data.
The manufacturer of Spyzie has published 518,643 unique email addresses for its customers. In the case of Cocospy, the company leaked 1.81 million customer email addresses, and Spyic leaked 880,167 customer email addresses. According to an analysis by Troy Hunt, which runs a data breach notification site, this is a total of over 3.2 million email addresses after removing duplicate addresses that were shown in both violations.
In 2024 there were at least four major stalker wear hacks. The last stalkerware violation of 2024 affected SpyTech, a little-known spyware manufacturer based in Minnesota. It published activity logs from phones, tablets and computers monitored by spyware. Previously, there was a violation of MSPY, one of the longest-running stalkerware apps that publish millions of customer support tickets, including personal data from millions of customers.
Previously, an unknown hacker broke into the servers of US-based Stalkerware Maker Pctattletale. The hackers then stole and leaked internal company data. They also tainted the official Pctattletlea website with the goal of embarrassing the company. The hackers referenced a recent TechCrunch article. There, they reported that Pctattletale was used to monitor several front desk check-in computers in a US hotel chain.
As a result of this hack, leak and shame manipulation, PcTattleleale founder Bryan Fleming said he was closing his company.
Consumer spyware apps such as MSPY and PcTattletale are commonly referred to as “Stalkerware” (or spouse wear). Because jealous spouses and partners use them to secretly monitor and investigate their loved ones. These companies often explicitly sell their products as a solution to catch fraud partners by encouraging illegal and unethical behavior. And there were multiple lawsuits, journalistic investigations, and domestic abuse shelters investigations that demonstrate that online stalking and surveillance could lead to real-world cases of harm and violence.
And that's why hackers are repeatedly targeting some of these companies.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has been researching and fighting Stalkerware for many years, said the Stalkerware industry is a “soft target.”
“The people who run these companies are probably the most cautious, but not really worried about the quality of their products,” Galperin told TechCrunch.
Given Stalkerware's history of compromise, that might be an understatement. And using these apps means that there is a lack of care to protect your customers, and as a result, the personal data of tens of thousands of unconscious victims is double irresponsible. Stalkerware customers are violating their partners by breaking the law and illegally spying on them, and putting everyone's data at risk.
History of stalker wear hacks
The gust of stalkerware violations began in 2017 when a group of hackers violated US-based Retina-X and Thailand-based Flexispy. These two hacks revealed that the company has a total of 130,000 customers worldwide.
At the time, proudly arguing for the responsibility of compromise, the hackers explicitly stated that their motivations were exposed and helped them destroy industries they deemed toxic and unethical.
“I burn them on the ground and never leave any of them to hide,” one of the hackers involved told Motherboard.
Referring to Flexispy, the hacker added: But I'm worried that they'll try to create themselves again in a new way. But if that's the case, I'll be there. ”
Despite Hack and years of negative public attention, Flexispy is still active today. The same cannot be said about Retina-X.
Hackers who infiltrated Retina-X wiped the server with the goal of blocking its operation. The company bounced back – and was hacked again a year later. A few weeks after the second violation, Retina-X announced it was closed.
A few days after the second Retina-X breach, the hackers hit Mobistealth and Spymaster Pro, stealing gigabytes of customers and business records, stealing victims' intercepted messages and exact GPS locations. Another stalkerware vendor, India-based spy human, encountered the same fate a few months later, with the hacker stealing text messages and calling out metadata.
A few weeks later, there was the first case of accidental data exposure rather than hack. Spy Fone left an Amazon Hosted S3 storage bucket online that is unprotected. This means that anyone could view and download text messages, photos, audio recordings, contacts, locations, scramble passwords, login information, Facebook messages, and more. All of that data was stolen from the victims, but most of them didn't know they were being spyed on. Their most sensitive personal data can't be made known that they are on the internet for everyone to see.
Other stalkerware companies that have been irresponsible online for years to leave customer and victim data irresponsible online are family trajectories, and are protected only by passwords that protect 281 gigabytes of personal data online. MSPY leaked more than 2 million customer records in 2018. Xnore allows customers to see personal data of other customer's goals, including chat messages, GPS coordinates, emails, photos, and more. Mobiispy left 25,000 audio recordings and 95,000 images on a server that anyone can access. KidsGuard had the incorrect server that leaked victim content. Before the hack, Pctattletale published a screenshot of the victim's device and uploaded it to a website that anyone can access. Xnspy has made developers leave their credentials and private keys in the app's code, allowing anyone to access the victim's data. And now, Spyzie, Cocospy and Spyic have published victim messages, photos, call logs, other personal data, and customer email addresses online.
Regarding other Stalkerware companies that were actually hacked, there was Copy9, where hackers stole all their surveillance target data, including text messages and WhatsApp messages, call recordings, photos, contacts, browser history. LetMespy shut down after a hacker wiped it violated the server. Brazil-based Webdetetive wiped away the server and hacked it again. OwnSpy, which provides a lot of Webdetive's backend software, has also been hacked. Spyhide is a vulnerability in the code that allows hackers to access backend databases and long-standing stolen data from around 60,000 victims. Sospy, a brand of Spyhide brand, has shut down once more. The latest MSPY hacks that are unrelated to the aforementioned leaks.
Finally, there is Thetruthspy, a network of stalkerware apps. This holds a suspicious record of hacking or data leaking at least three separate occasions.
Hacked, but not repented
Eight of these 23 Stalkerware Companies have been closed, according to a TechCrunch tally.
In the first unique case, the Federal Trade Commission banned activities in the surveillance industry following a previous security course in which Spyfone and its CEO Scott Zuckerman exposed victim data. Another stalkerware operation linked to Zuckerman, called Spytrac, was subsequently shut down following a TechCrunch investigation.
Two other companies not known to have been hacked, Telephone Officer and Histar, have also been shut down after New York Attorney General accused the New York Attorney General of explicitly encouraging customers to use the software for illegal surveillance.
But the fact that the company has been closed doesn't mean it's gone forever. Like Spyhide and Spyfone, some of the same owners and developers behind closed stalkerware makers have simply been rebranded.
“I think these hacks do things. They get things done and put dents in it,” Galperin said. “But if you hack the stalkerwear company, they simply swing their fists, curse your name, disappear with a puff of blue smoke and you think you'll never see it again, that's definitely not.”
“Most of the time, when you can actually kill a Stalkerware Company, the Stalkerware Company appears like a mushroom after the rain,” added Galperin.
There is some good news. In a report last year, security company MalwareBytes said its use of Stalkerware is declining, according to its own data from customers infected with this type of software. Galperin also reports that customers and prospects complain that they don't work as intended, seeing an increase in negative reviews for these apps.
However, Galperin said security companies may not be as good at detecting stalkerware as they used to, or that stalkers may have moved from software-based surveillance to physical surveillance that can be done by air tags and other Bluetooth-enabled trackers.
“Stalkerware doesn't exist in the vacuum. Stalkerware is part of the whole world of technology-responsive abuse,” says Galperin.
Say no to stalker wear
Using spyware to monitor your loved ones is not only unethical, but is also considered illegal surveillance in most jurisdictions.
That's an important reason why you don't already use Stalkerware. There have been issues that have proven many times that Stalkerware manufacturers cannot keep their data safe. Data belonging to the customer does not belong to the victim or target either.
Apart from spying on romantic partners and spouses, some people use stalkerwear apps to monitor their children. Although this type of use is legal, at least in the US, does not mean that using Snoop on a child's phone using Stalkerware is creepy and unethical.
Even if it's legal, Galperin believes that parents should not spy on their children without telling them and agreeing to them.
If parents notify their children and move on, they should move away from unstable and unreliable stalkerware apps and use parent tracking tools built into Apple's phones, tablets and Android devices that work more secure and openly.
Summary of violations and leaks
This is the complete list of Stalkerware companies that have been hacked or leaked sensitive data since 2017.
Updated on February 27, 2025, Spyzie will be included as the latest buggy stalkerwear app.
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) provides secret support to victims of domestic abuse and violence 24/7. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.