There’s a entire shady business for individuals who need to monitor and spy on their households. A number of app makers market their software program — generally known as stalkerware — to jealous companions who can use these apps to entry their victims’ telephones remotely.
But, regardless of how delicate this information is, an growing variety of these corporations are dropping big quantities of it.
In keeping with TechCrunch’s tally, counting the newest information exposures of Cocospy and Spyic, there have been at the least 23 stalkerware corporations since 2017 which can be recognized to have been hacked or that leaked clients’ and victims’ information on-line. That’s not a typo: No less than 23 stalkerware corporations have both been hacked or had a big information publicity in recent times. And 4 stalkerware corporations have been hacked a number of occasions.
Cocospy and Spyic are the primary stalkerware corporations in 2025 to have inadvertently uncovered delicate information. The 2 surveillance operations left messages, pictures, name logs, and different private and delicate information of thousands and thousands of victims uncovered on-line, in response to a safety researcher who discovered a bug that allowed them to entry that information.
Within the case of Cocospy, the corporate leaked 1.81 million buyer e-mail addresses, and Spyic leaked 880,167 buyer e-mail addresses. That’s a complete of two.65 million e-mail addresses, after eradicating duplicate addresses that appeared in each breaches, in response to an evaluation by Troy Hunt, who runs information breach notification website Have I Been Pwned.
In 2024, there have been at the least 4 large stalkerware hacks. The final stalkerware breach in 2024 affected Spytech, a little-known adware maker based mostly in Minnesota, which uncovered exercise logs from the telephones, tablets, and computer systems monitored with its adware. Earlier than that, there was a breach at mSpy, one of many longest-running stalkerware apps, which uncovered thousands and thousands of buyer help tickets that included the non-public information of thousands and thousands of its clients.
Beforehand, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale. The hacker then stole and leaked the corporate’s inner information. Additionally they defaced pcTattletale’s official web site with the aim of embarrassing the corporate. The hacker referred to a current TechCrunch article the place we reported pcTattletale was used to watch a number of entrance desk check-in computer systems at a U.S. resort chain.
Because of this hack, leak and disgrace operation, pcTattletale founder Bryan Fleming mentioned he was shutting down his firm.
Shopper adware apps like mSpy and pcTattletale are generally known as “stalkerware” (or spouseware) as a result of jealous spouses and companions use them to surreptitiously monitor and surveil their family members. These corporations usually explicitly market their merchandise as options to catch dishonest companions by encouraging unlawful and unethical conduct. And there have been multiple court cases, journalistic investigations, and surveys of domestic abuse shelters that present that on-line stalking and monitoring can result in circumstances of real-world hurt and violence.
And that’s why hackers have repeatedly focused a few of these corporations.
Eva Galperin, the director of cybersecurity on the Digital Frontier Basis and a number one researcher and activist who has investigated and fought stalkerware for years, mentioned the stalkerware business is a “mushy goal.”
“The individuals who run these corporations are maybe not essentially the most scrupulous or actually involved concerning the high quality of their product,” Galperin instructed TechCrunch.
Given the historical past of stalkerware compromises, which may be an understatement. And due to the dearth of care for safeguarding their very own clients — and consequently the non-public information of tens of hundreds of unwitting victims — utilizing these apps is doubly irresponsible. The stalkerware clients could also be breaking the legislation, abusing their companions by illegally spying on them, and, on prime of that, placing everybody’s information in peril.
A historical past of stalkerware hacks
The flurry of stalkerware breaches started in 2017 when a bunch of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy again to again. These two hacks revealed that the businesses had a complete variety of 130,000 clients all around the world.
On the time, the hackers who — proudly — claimed duty for the compromises explicitly mentioned their motivations have been to reveal and hopefully assist destroy an business that they take into account poisonous and unethical.
“I’m going to burn them to the bottom, and depart completely nowhere for any of them to cover,” one of many hackers concerned then instructed Motherboard.
Referring to FlexiSpy, the hacker added: “I hope they’ll crumble and fail as an organization, and have a while to replicate on what they did. Nevertheless, I worry they may try to give beginning to themselves once more in a brand new type. But when they do, I’ll be there.”
Regardless of the hack, and years of unfavorable public consideration, FlexiSpy remains to be lively right this moment. The identical can’t be mentioned about Retina-X.
The hacker who broke into Retina-X wiped its servers with the aim of hampering its operations. The corporate bounced again — and then it got hacked again a year later. A few weeks after the second breach, Retina-X announced that it was shutting down.
Simply days after the second Retina-X breach, hackers hit Mobistealth and Spymaster Pro, stealing gigabytes of buyer and enterprise data, in addition to victims’ intercepted messages and exact GPS areas. One other stalkerware vendor, the India-based SpyHuman, encountered the identical destiny a couple of months later, with hackers stealing textual content messages and name metadata, which contained logs of who referred to as who and when.
Weeks later, there was the primary case of unintended information publicity, quite than a hack. Spy Fone left an Amazon-hosted S3 storage bucket unprotected online, which meant anybody might see and obtain textual content messages, pictures, audio recordings, contacts, location, scrambled passwords and login data, Fb messages, and extra. All that information was stolen from victims, most of whom didn’t know they have been being spied on, not to mention know their most delicate private information was additionally on the web for all to see.
Different stalkerware corporations that over time have irresponsibly left clients’ and victims’ information on-line are Household Orbit, which left 281 gigabytes of private information on-line protected only by an easy-to-find password; mSpy, which leaked over 2 million buyer data in 2018; Xnore, which let any of its customers see the personal data of other customers’ targets, which included chat messages, GPS coordinates, emails, pictures, and extra; MobiiSpy, which left 25,000 audio recordings and 95,000 pictures on a server accessible to anyone; KidsGuard, which had a misconfigured server that leaked victims’ content material; pcTattletale, which previous to its hack additionally exposed screenshots of victims’ devices uploaded in real time to an internet site that anybody might entry; and Xnspy, whose builders left credentials and personal keys within the apps’ code, permitting anybody to entry victims’ information; and now Cocospy and Spyic, which left victims’ messages, pictures, name logs, and different private information, in addition to clients’ e-mail addresses, uncovered on-line.
So far as different stalkerware corporations that really acquired hacked, there was Copy9, which noticed a hacker steal the data of all its surveillance targets, together with textual content messages and WhatsApp messages, name recordings, pictures, contacts, and browser historical past; LetMeSpy, which shut down after hackers breached and wiped its servers; the Brazil-based WebDetetive, which also got its servers wiped, and then hacked again; OwnSpy, which supplies a lot of the back-end software program for WebDetetive, additionally acquired hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to entry the back-end databases and years of stolen information from round 60,000 victims; Oospy, which was a rebrand of Spyhide, shut down for a second time; and the newest mSpy hack, which is unrelated to the beforehand talked about leak.
Lastly there’s TheTruthSpy, a community of stalkerware apps, which holds the doubtful report of getting been hacked or having leaked information on at the least three separate events.
Hacked, however unrepented
Of those 23 stalkerware corporations, eight have shut down, in response to TechCrunch’s tally.
In a primary and to this point distinctive case, the Federal Commerce Fee banned SpyFone and its chief government, Scott Zuckerman, from working within the surveillance business following an earlier safety lapse that uncovered victims’ information. One other stalkerware operation linked to Zuckerman, referred to as SpyTrac, subsequently shut down following a TechCrunch investigation.
PhoneSpector and Highster, one other two corporations that aren’t recognized to have been hacked, additionally shut down after New York’s legal professional normal accused the businesses of explicitly encouraging clients to make use of their software program for unlawful surveillance.
However an organization closing doesn’t imply it’s gone perpetually. As with Spyhide and SpyFone, among the similar house owners and builders behind a shuttered stalkerware maker merely rebranded.
“I do suppose that these hacks do issues. They do accomplish issues, they do put a dent in it,” Galperin mentioned. “However in case you suppose that in case you hack a stalkerware firm, that they may merely shake their fists, curse your identify, disappear in a puff of blue smoke and by no means be seen once more, that has most positively not been the case.”
“What occurs most frequently, while you really handle to kill a stalkerware firm, is that the stalkerware firm comes up like mushrooms after the rain,” Galperin added.
There may be some excellent news. In a report final 12 months, safety agency Malwarebytes mentioned that the use of stalkerware is declining, in response to its personal information of consumers contaminated with one of these software program. Additionally, Galperin studies seeing a rise in unfavorable critiques of those apps, with clients or potential clients complaining they don’t work as supposed.
However, Galperin mentioned that it’s attainable that safety companies aren’t nearly as good at detecting stalkerware as they was once, or stalkers have moved from software-based surveillance to bodily surveillance enabled by AirTags and different Bluetooth-enabled trackers.
“Stalkerware doesn’t exist in a vacuum. Stalkerware is a component of a complete world of tech-enabled abuse,” Galperin mentioned.
Say no to stalkerware
Utilizing adware to watch your family members just isn’t solely unethical, it’s additionally unlawful in most jurisdictions, because it’s thought-about illegal surveillance.
That’s already a big purpose to not use stalkerware. Then there’s the problem that stalkerware makers have confirmed time and time once more that they can not hold information safe — neither information belonging to the shoppers nor their victims or targets.
Other than spying on romantic companions and spouses, some folks use stalkerware apps to watch their youngsters. Whereas one of these use, at the least in america, is authorized, it doesn’t imply utilizing stalkerware to snoop in your children’ cellphone isn’t creepy and unethical.
Even when it’s lawful, Galperin thinks mother and father mustn’t spy on their youngsters with out telling them and with out their consent.
If mother and father do inform their youngsters and get their go-ahead, mother and father ought to steer clear of insecure and untrustworthy stalkerware apps and use parental monitoring instruments constructed into Apple phones and tablets and Android devices which can be safer and function overtly.
Recap of breaches and leaks
Right here’s the whole record of stalkerware corporations which have been hacked or have leaked delicate information since 2017, in chronological order:
Up to date on February 20, 2025, to incorporate Cocospy and Spyic as the newest set of buggy stalkerware apps.
If you happen to or somebody you understand wants assist, the Nationwide Home Violence Hotline (1-800-799-7233) supplies 24/7 free, confidential help to victims of home abuse and violence. In case you are in an emergency scenario, name 911. The Coalition Against Stalkerware has assets in case you suppose your cellphone has been compromised by adware.