A shady industry exists for people who want to monitor and spy on their families. Multiple app makers advertise and promote their software (often referred to as stalkerware) to jealous partners who can use these apps to gain remote access to victims' phones.
However, despite how sensitive this personal data is, more and more companies are losing vast amounts of personal data.
There are at least 27 stalkerware companies known to have been hacked or leaked customer or victim data online since 2017, according to TechCrunch's ongoing tally, including the latest data breach related to uMobix.
That's not a typo. Dozens of stalkerware companies have been hacked or had critical data leaked in recent years. And at least four stalkerware companies have been hacked multiple times.
The maker of uMobix and related mobile tracking apps such as Geofinder and Peekviewer is the latest stalkerware provider to expose sensitive customer data after hacktivists collected the payment information of more than 500,000 customers and published it online. The hacktivist said he did this as a means to track stalkerware apps, following in the footsteps of two hacktivist groups that infiltrated Retina-X and FlexiSpy nearly a decade ago.
The uMobix data breach comes after last year's Catwatchful breach, which was used to compromise the phone data of at least 26,000 victims. Catwatchful is just one of several stalkerware incidents in 2025, including data breaches from SpyX, Cocospy, Spyic, and Spyzie surveillance operations, which exposed millions of victims' messages, photos, call logs, and other personal and sensitive data online, according to security researchers who discovered the data-accessible bug.
Before 2025, there were at least four major stalkerware hacks in 2024.
The last stalkerware breach in 2024 affected Spytech, a little-known spyware maker based in Minnesota, exposing activity logs on phones, tablets, and computers monitored by the spyware. Before that, one of the longest-running stalkerware apps, mSpy, suffered a breach that exposed millions of customer support tickets containing the personal data of millions of customers.
Previously, unknown hackers infiltrated the servers of US-based stalkerware manufacturer pcTattletale. Hackers then stole and leaked the company's internal data. They also defaced pcTattletale's official website in an attempt to embarrass pcTattletale. The hacker referenced a recent TechCrunch article that reported that pcTattletale was used to monitor multiple front desk check-in computers at a U.S. hotel chain.
As a result of this hack, leak, and disgrace, pcTattletale founder Brian Fleming said he was shutting down the company. Earlier this year, Fleming pleaded guilty to charges of computer hacking, selling and promoting surveillance software for illegal use, and conspiracy.
Consumer spyware apps such as uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are commonly referred to as “stalkerware” (or spousalware) because they are used by jealous spouses or partners to secretly monitor and monitor their loved ones.
These companies often explicitly promote their products as a solution to catching cheating partners by encouraging illegal and unethical behavior. Multiple court cases, media investigations, and domestic violence shelter research have shown that online stalking and surveillance can lead to real-world harm and incidents of violence.
That's part of the reason why hackers have repeatedly targeted some of these companies.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has researched and fought stalkerware for years, said the stalkerware industry is a “soft target.”
“The people running these companies are probably not that careful or really concerned about the quality of their products,” Galperin told TechCrunch.
Considering the history of stalkerware breaches, this may be an understatement. And using these apps is doubly irresponsible due to their lack of concern for protecting their own customers and, as a result, the personal data of tens of thousands of unwitting victims. Stalkerware customers may be breaking the law, illegally spying on and abusing their partners, and even putting everyone's data at risk.
History of stalkerware hacking
The spate of stalkerware breaches began in 2017 when a hacker group successively compromised US-based Retina-X and Thailand-based FlexiSpy. These two hacks revealed that these companies have a total of 130,000 customers around the world.
At the time, the hackers who proudly claimed responsibility for the breach made it clear that their motive was to expose and, if possible, help disrupt an industry they considered harmful and unethical.
“I'm going to burn them down and leave them no place to hide,” one of the hackers involved told Motherboard.
Referring to FlexiSpy, the hacker added, “I wish they would fall apart and fail as a company and have time to reflect on what they've done. But I'm worried they'll try to reinvent themselves again in a new form. But if that happens, I'll be there.”
Despite hacks and years of negative public attention, FlexiSpy remains active. The same cannot be said for Retina-X.
Hackers who infiltrated Retina-X wiped the server in an attempt to disrupt its operations. The company bounced back, but was hacked again a year later. A few weeks after the second breach, Retina-X announced it would shut down.
Just days after the second Retina-X breach, hackers attacked Mobistealth and Spy Master Pro, stealing gigabytes of customer and company records, as well as victims' intercepted messages and precise GPS locations. SpyHuman, another India-based stalkerware vendor, met the same fate a few months later, when hackers stole text messages and call metadata, including logs of who called and when.
A few weeks later, the first case of data leakage occurred by accident rather than by hacking.
SpyFone left Amazon-hosted S3 storage buckets unprotected online, allowing anyone to view and download text messages, photos, voice recordings, contacts, location data, scrambled passwords and logins, Facebook messages, and more. All this data was stolen from the victims, most of whom had no idea they were being spied on, much less that their most sensitive personal data would be published on the internet for everyone to see.
In addition to uMobix, other stalkerware companies that have irresponsibly left the data of their customers and victims online over the years include: mSpy compromised over 2 million customer records in 2018. Xnore allows customers to view the personal data of other customers' targets, including chat messages, GPS coordinates, emails, photos, and more. MobiiSpy left 25,000 audio recordings and 95,000 images on a publicly accessible server.
The list goes on. KidsGuard in 2020 had a misconfigured server that exposed victims' content. Before the 2024 hack, pcTattletale uploaded and published screenshots of victims' devices in real time on a publicly accessible website. Xnspy's developers then left the credentials and private key in the app's code, allowing anyone to access the victim's data. Spyzie, Cocospy, and Spyic left victims' messages, photos, call logs, and other personal data, as well as customers' email addresses, exposed online. Catwatchful has published a complete database of customer email addresses and cleartext passwords.
The other stalkerware company that was actually hacked was Copy9 in early 2025, apart from SpyX. In Copy9, hackers stole all of the data on their surveillance, including text messages, WhatsApp messages, call recordings, photos, contacts, and eyebrow history. LetMeSpy shut down after hackers broke into its servers and wiped data. And Brazil-based WebDetetive also had its servers taken down and then hacked again.
OwnSpy, which provides much of WebDetetive's backend software, was also hacked. Spyhide had vulnerabilities in its code that allowed hackers to access its backend database, allowing the data of approximately 60,000 victims to be stolen over the years. Oospy, a rebrand of Spyhide, has shut down for the second time. Finally, there is TheTruthSpy, a network of stalkerware apps. It has a dubious record of being hacked or data breached on at least three occasions.
Hacked but unrepentant
Eight of these 27 stalkerware companies have been shut down, according to a tally compiled by TechCrunch.
In a first-of-its-kind and unique case, the Federal Trade Commission has banned SpyFone and its CEO Scott Zuckerman from operating in the surveillance industry following previous security lapses that compromised victims' data. Another related operation called SpyTrac was shut down following TechCrunch's investigation. Last year, the FTC upheld a ban against Zuckerman.
Two stalkerware apps, PhoneSpector and Highster, which were not known to have been hacked, were also shut down by New York's attorney general after the companies accused the companies of explicitly encouraging customers to use the software for illegal surveillance purposes.
But just because a company closes doesn't mean it's gone forever. Like Spyhide and SpyFone, some of the same owners and developers behind the shuttered stalkerware maker simply rebranded it.
“I think these hacks do something. They certainly accomplish something and put a dent in it,” Galperin said. “But if you think that if you hack into a stalkerware company, they'll just shake their fists, curse your name, and disappear in a puff of blue smoke, never to be seen again, that's definitely not the case.”
“The most common thing that happens when you actually succeed in taking down a stalkerware company is that they pop up like bamboo shoots after the rain,” Galperin added.
I have good news. Security firm Malwarebytes said in a 2023 report that the use of stalkerware is on the decline, according to its data on customers infected with this type of software. Galperin also reports an increase in negative reviews of these apps, with customers or prospects complaining that they don't work as intended.
But Galperin said security companies may be less able to detect stalkerware than they used to be, or stalkers may be moving from software-based surveillance to physical surveillance enabled by AirTags and other Bluetooth-enabled trackers.
“Stalkerware does not exist in a vacuum. Stalkerware is part of a larger world of technology-enabled exploits,” Galperin said.
Say no to stalkerware
Using spyware to monitor your loved ones is not only unethical, it is considered illegal surveillance and is illegal in most jurisdictions.
That's already an important reason not to use stalkerware. Adding to the problem is that stalkerware creators have proven time and time again that they are unable to keep data safe, neither data belonging to their customers nor those belonging to their victims or targets.
In addition to monitoring lovers and spouses, some people use stalkerware apps to monitor their children. This kind of use is legal, at least in the United States, but that doesn't mean using stalkerware to spy on your child's cell phone isn't creepy and unethical.
Galperin believes that parents should not spy on their children without their knowledge or consent, even if it is used in a legal way.
If parents notify their children and get their permission, parents should move away from less secure and untrusted stalkerware apps and instead use safer, more overt parental tracking tools built into Apple phones, tablets, and Android devices.
Breach and Breach Summary
Below is a complete chronological list of stalkerware companies that have been hacked or had sensitive data leaked since 2017.
First published on July 16, 2024 and updated to include uMobix as the latest stalkerware app with security issues.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free and confidential support to victims of domestic violence and violence 24/7. If you are in an emergency, please call 911. If you think your phone has been compromised by spyware, the Coalition Against Stalkerware has resources.