There is a shady industry for those who want to monitor and spy on their families. Several app makers sell software (sometimes called stalkerware) to jealous partners who can use these apps to remotely access victims' phones.
But despite how sensitive this data is, the number of these companies is on the rise in massive decline.
According to TechCrunch's Tally, counting the latest data breaches for Spyx, there have been at least 25 Stalkerware companies since 2017 that have been known to have been hacked or leaked customer and victim data online. That's not a typo. At least 25 Stalkerware companies have been hacked or exposed to important data in recent years. Additionally, four stalkerwear companies have been hacked multiple times.
SPYX is the latest Stalkerware provider reportedly reported to have violated this year, but the violation itself dates back to mid-2024. The violation reveals that the Spyx family of apps damaged private telephone data for around 2 million victims during the violation.
SPYX violations occur after data exposures of messages, photos, call logs and other personal and sensitive data of millions of other victims, according to security researchers who found a bug that allowed access to that data.
Before this year, there were at least four major stalker wear hacks in 2024. The last stalkerware violation of 2024 affected SpyTech, a little-known spyware manufacturer based in Minnesota. Previously, there was a violation of MSPY, one of the longest-running stalkerware apps that publish millions of customer support tickets, including personal data from millions of customers.
Previously, an unknown hacker broke into the servers of US-based Stalkerware Maker Pctattletale. The hackers then stole and leaked internal company data. They also tainted the official Pctattletlea website with the goal of embarrassing the company. The hackers referenced a recent TechCrunch article. There, they reported that Pctattletale was used to monitor several front desk check-in computers in a US hotel chain.
As a result of this hack, leak and shame manipulation, PcTattleleale founder Bryan Fleming said he was closing his company.
Consumer spyware apps such as Spyx, Cocospy, Mspy, and Pctattletale are commonly referred to as “stalkerware” (or spouse wear).
These companies often explicitly sell their products as a solution to catch fraud partners by encouraging illegal and unethical behavior. And there were multiple lawsuits, journalistic investigations, and domestic abuse shelters investigations that demonstrate that online stalking and surveillance could lead to real-world cases of harm and violence.
And that's why hackers are repeatedly targeting some of these companies.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has been researching and fighting Stalkerware for many years, said the Stalkerware industry is a “soft target.”
“The people who run these companies are probably the most cautious, but not really worried about the quality of their products,” Galperin told TechCrunch.
Given Stalkerware's history of compromise, that might be an understatement. And using these apps means that there is a lack of care to protect your customers, and as a result, the personal data of tens of thousands of unconscious victims is double irresponsible. Stalkerware customers are violating their partners by breaking the law and illegally spying on them, and putting everyone's data at risk.
History of stalker wear hacks
The gust of stalkerware violations began in 2017 when a group of hackers violated US-based Retina-X and Thailand-based Flexispy. These two hacks revealed that the company has a total of 130,000 customers worldwide.
At the time, proudly arguing for the responsibility of compromise, the hackers explicitly stated that their motivations were exposed and helped them destroy industries they deemed toxic and unethical.
“I burn them on the ground and never leave any of them to hide,” one of the hackers involved told Motherboard.
Referring to Flexispy, the hacker added: “I hope they'll fall apart and fail as a company and have time to look back on what they've done, but I'm worried that they'll try to give birth to themselves again in a new way.
Despite Hack and years of negative public attention, Flexispy is still active today. The same cannot be said about Retina-X.
Hackers who infiltrated Retina-X wiped the server with the goal of blocking its operation. The company bounced back – and was hacked again a year later. A few weeks after the second violation, Retina-X announced it was closed.
A few days after the second Retina-X breach, the hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of customers and business records, stealing victims' intercepted messages and exact GPS locations. Another stalkerware vendor, India-based spy human, encountered the same fate a few months later, with the hacker stealing text messages and calling out metadata.
A few weeks later, there was the first case of accidental data exposure rather than hack. Spyfone left an Amazon Hosted S3 storage bucket online that is unprotected. This means that everyone could view and download text messages, photos, audio recordings, contacts, locations, scramble passwords, login information, Facebook messages, and more. All of that data was stolen from the victims, but most of them didn't know they were being spyed on. Their most sensitive personal data can't be made known that they are on the internet for everyone to see.
Other stalkerware companies that have been irresponsibly leaving customer and victim data online for years irresponsible are Familyorbit, and are protected only by passwords that protect 281 gigabytes of personal data online. MSPY leaked more than 2 million customer records in 2018. Xnore allows customers to see personal data of other customer's goals, including chat messages, GPS coordinates, emails, photos, and more. Mobiispy left 25,000 audio recordings and 95,000 images on a server that anyone can access. KidsGuard had the incorrect server that leaked victim content. Before the hack, Pctattletale published a screenshot of the victim's device and uploaded it to a website that anyone can access. Xnspy has left developers with remaining qualifications and private keys in their app's code, allowing anyone to access the victim's data. And now, Spyzie, Cocospy and Spyic have kept victim messages, photos, call logs, other personal data, and customer email addresses publicly online.
Regarding other Stalkerware companies that were actually hacked, except for Spyx, there was Copy9. This has resulted in hackers stealing data from all surveillance targets, including text messages and WhatsApp messages, call recordings, photos, contacts, views, and more. LetMespy shut down after a hacker wiped it violated the server. Brazil-based Webdetetive wiped away the server and hacked it again. OwnSpy, which provides a lot of Webdetive's backend software, has also been hacked. Spyhide has a code vulnerability that allowed hackers to access backend databases and access data from around 60,000 victims over the years. Sospy, a brand of Spyhide brand, has shut down once more. The latest MSPY hacks that are unrelated to the aforementioned leaks.
Finally, there is Thetruthspy, a network of stalkerware apps. This holds a suspicious record of hacking or data leaking at least three separate occasions.
Hacked, but not repented
Eight of these 25 Stalkerware Companies have been closed, according to a TechCrunch tally.
In the first unique case, the Federal Trade Commission banned activities in the surveillance industry following a previous security course in which Spyfone and its CEO Scott Zuckerman exposed victim data. Another stalkerware operation linked to Zuckerman, called Spytrac, was subsequently shut down following a TechCrunch investigation.
Two other companies not known to have been hacked, the Telephone Officer and Histar, have also shut down after New York Attorney General accused the New York Attorney General of explicitly encouraging customers to use the software for illegal surveillance.
But the fact that the company has been closed doesn't mean it's gone forever. Like Spyhide and Spyfone, some of the same owners and developers behind closed stalkerware makers have simply been rebranded.
“I think these hacks do things. They accomplish things and put a dent in it,” Galperin said. “But if you hack the stalkerwear company, they simply swing their fists, curse your name, disappear with a puff of blue smoke and you're going to never see it again, that's definitely not.”
“Most of the time, when you can actually kill a Stalkerware Company, the Stalkerware Company appears like a mushroom after the rain,” added Galperin.
There is some good news. In a report last year, security company MalwareBytes said its use of Stalkerware is declining, according to its own data from customers infected with this type of software. Galperin also reports that customers and prospects complain that they don't work as intended, seeing an increase in negative reviews for these apps.
However, Galperin said security companies may not be as good at detecting stalkerware as they used to, or that stalkers may have moved from software-based surveillance to physical surveillance that can be done by air tags and other Bluetooth-enabled trackers.
“Stalkerwear doesn't exist in the vacuum. Stalkerwear is part of a world of tech-responsive abuse,” Galperin said.
Say no to stalker wear
Using spyware to monitor your loved ones is not only unethical, but is also considered illegal surveillance in most jurisdictions.
That's an important reason why you don't already use Stalkerware. There have been issues that have proven many times that Stalkerware manufacturers cannot keep their data safe. Data belonging to the customer does not belong to the victim or target either.
Apart from spying on romantic partners and spouses, some people use stalkerwear apps to monitor their children. Although this type of use is legal, at least in the US, using Snoop on a child's phone using Stalkerware does not mean it's creepy and unethical.
Even if it's legal, Galperin believes that parents should not spy on their children without telling them and agreeing to them.
If parents notify their children and move on, they should move away from unstable and unreliable stalkerware apps and use parent tracking tools built into Apple's phones, tablets and Android devices that work more secure and obviously.
Summary of violations and leaks
This is the complete list of Stalkerware companies that have been hacked or leaked sensitive data since 2017.
Updated on March 19, 2025, we have included Spyx as the latest violation of our Stalkerware provider.
If you or someone you know needs help, the domestic domestic violence hotline (1-800-799-7233) provides secret support to victims of domestic abuse and violence 24/7. If you are in an emergency, call 911. If you think your phone is compromised by Spyware, then the federation against Stalkerware has resources.