There is a whole shady industry for people who want to monitor and spy on their familyies. Multiple App Makers Market Their Software – Sometimes Referred to as stalkerware – to jealous partners who can use these apps to access their victims’ Phones remotely.
Yet, despite how sensitive this data is, an increase number of these companies are losing huge amounts of it.
According to techcrunch’s tally, counting The latest data leak of spyzieWhich comes shortly after The data exposures of cocospy and spyicThere have been at Least 24 Stalkerware Companies Since 2017 That Are Known To Have Been Hacked, or Leaked Customer and Victims’ Data Online. That’s not a typo: at Least 24 Stalkerware Companies Have Eather Been Hacked or Had a Significant Data Exposure in Recent Years. And Four Stalkerware Companies Were Hacked Multiple Times.
Spyzie, cocospy, and spyic are the first stalkerware companies in 2025 to have inadverted sensitive data. The two surveillance operations left messages, photos, call logs, and other personal and sensitive data of millions of Victims of Victims Expeding Online, According to a SECURITY RECURITY RESERCHERTY RES Allowed them to access that data.
The makers of spyzie exposed 518,643 unique email addresses of their customers. In the case of cocospy, the company leaked 1.81 Million Customer Email Addresses, and Spyic Leaked 880,167 Customer Email Addresses. That’s a total of more than 3.2 million email addresses, after removing duplicate addresses Have i been pwned,
In 2024, there was at least four massive stalkerware hacks. The last stalkerware breach in 2024 affected Spytech, a little-known spyware maker based in minnesotaWhich exposed activity logs from the phones, tablets, and computers monitored with its spyware. Before that, there was a breach at mspy, one of the longest-running stalkerware apps, which exposed Millions of Customer Support TicketsWhich included the personal data of millions of its customers.
Previous, an unknown hacker Broke into the servers of the US-based stalkerware maker pctatletleThe hacker then stole and leaked the company’s internal data. They also defaced pctattletale’s official website with the goal of embarrassing the company. The hacker referred to a recent techcrunch article where we reported pctattletale was used to monitor several front desk check-in computers At a US Hotel Chain.
As a result of this hack, leak and shame operation, pctatletle founder bryan fleming Said he was shutting down His company.
Consumer spyware apps like mspy and pctattletle are commonly referred to as “stalkerware” Loved ones. These companies often explicitly market their products as solutions to catch cheating partners by encouraging illgal and Unethical Behavior. And There have been multiple court cases, Journalistic Investigations and Surveys of Domestic Abuse Shelters That show that online stalling and monitoring can lead to cases of real-will harm and violence.
And that’s why hackers have repeatedly targeted some of these companies.
Eva Galperin, The Director of Cybersecurity at the Electronic Frontier Foundation and a Leading Researcher and Activist who has an Investigated and Fourth Stalkerware for Years, Said the Staller Industry Industry “Soft target.”
“The people who run these companies are perhaps not the most scruPulous or really concerned about the quality of their product,” Galperin Told Techcrunch.
Given the history of stalkerware compromises, that may be an undersrstment. And because of the Lack of Care for Protecting his own customers – and conseaquently the personal data of tens of thousands of unwitting victims – Using these apps is doublely irresponsible. The stalkerware customers may be breaking the law, abusing their partners by Illegly spying on them, and on top of that, putting everyone’s data in Danger.
A history of stalkerware hacks
The flurry of stalkerware breaches began in 2017 when a group of hackers Breached the US-based retina-x and the Thailand-based flexispy Back to back. Those two hacks revised that the companies had a total number of 130,000 customers all over the world.
At the time, the hackers who – proudly – Claimed Responsibility for the Compromises explicitly said their motivations was to expenses and humorly helproy an Industry an Industry that they are consider toxic and Unethical.
“I’m going to burn them to the ground, and leave absolutely noise for any of them to hide,” One of the hackers involved then Told Motherboard.
Referring to flexispy, the hacker added: “I hope’ll fall apart and fail as a company, and have some time to reflect on what they did. However, I Fear they might try and give birth to themselves again in a new form. But if they do, i’ll be there. “
Despite the hack, and years of negative public attention, flexispy is still active today. The same cannot be said about retina-x.
The hacker who broke into retina-x wiped its servers with the goal of hampering its operations. The company bounced back – And then it Got Hacked Again a Year LaterA couple of weeks after the second breach, Retina-x announced that it was shutting down,
Just days after the second retina-x breach, Hackers Hit Mobistealth and Spymaster ProStealing Gigabytes of Customer and Business Records, as Well as Victims’ Intercepted Messages and Precise GPS GPS locations. Another stalkerware vendor, The India-based spyhumanEncounTed the same fate a lesser months later, with hackers stealing text messages and call metadata, which contained logs of who called who and when.
Weeks Later, there was the first case of Accidental Data Exposure, Rather than a hack. Spy fone left an amazon-hosted S3 storage bucket unprotected onlineWhich meant anyone could see and download text messages, photos, audio recording, contacts, location, scrambled passwords and login information, facebook messages, and more. All that data was stolen from victims, most of who did not know they were being on, let alone know their most sensitive personal data was also on the internet for all to
Other Stalkerware Companies that over the Years Have Irresponsibly Left Customers ‘And Victims’ Data Online Are Family Orbit, which left 281 Gigabytes of Personal Data Online Protected only by an easy-to-find passwordMSPY, Which leaked over 2 million customer records in 2018; Xnore, which Let any of its customers see the personal data of other customers’ targetsWhich included chat messages, gps coordinates, emails, photos, and more; Mobiispy, which left 25,000 audio recording and 95,000 images on a server accessible to anyoneKidsguard, which had a misconfigured server that leaked Victims’ contentpctattletale, which prior to its hack also Exped Screenshots of Victims’ Devices Uploaded in Real Time to a website that anyone could access; And XNSPY, whose developers Left credentials and private keys in the apps’ codeAllowing Anyone to Access Victims’ Data; and now Spyzie, Cocospy and spyicWhich Left Victims ‘messages, photos, call logs, and other personal data, as well as customers’ email addresses, expected online.
As far as other stalkerware companies that actually got hacked, there was copy9, which saw A hacker steal the data of all its surveillance targetsIncluding text messages and whatsapp messages, call recording, photos, contacts, and browser history; Letterspy, Whoch Shut Down after Hackers Breed and Wiped Its serversThe brazil-based webdetative, Why Got Its Servers wipedand Then Hacked AgainOwnspy, which provides much of the back-end software for webdetative, also get hacked; Spyhide, which had a vulnerability in its code That allowed a hacker to access the back-end databases And Years of Stolen Data from Around 60,000 Victims; OOSPY, Which was a rebrand of spyhide, Shut down for a second time; And the latest mspy hack, which is unrelated to the previously mentioned leak.
Finally there is thetruthspy, a Network of Stalkerware AppsWhich holds the dubious record of having been hacked or having leaked data on at least three separate Occasions,
Hacked, but unrepened
Of these 23 stalkerware companies, eight have shut down, according to techcrunch’s tally.
In a first and so far unique case, the federal trade commission Banned Spyfone and Its Chief Executive, Scott ZuckermanFrom operating in the surveillance industry following an earlier security lapse that exposed victims’ data. Another Stalkerware Operation Linked to Zuckerman, Called SpyTrac, subsequently shut down Following a techcrunch engine.
PhonESPECTOR and Highster, Another Two Companies that are not known to have been hacked, Also shut down After new york’s attorney general accuced the companies of explicitly encouraging customers to use their software for illegal surveillance.
But a company closing doesn’t Mean It’s Gone Forever. As with spyhide and spyfone, some of the same owners and developers behind a shutted stalkerware maker simply rebranded.
“I do think that these hacks do things. They do Accomplish things, they do put a dent in it, “Galperin said. “But if you think that if you hack a stalkerware company, that they will simply shake their fists, curse your name, disappear in a puff of blue smoke and never be seen, that has been found dead The case. “
“What Happens Most often, when you actually manage to kill a stalkerware company, is that stalkerware compani come up like Mushrooms after the Rain,” Galperin Added.
There is some good news. In a report last year, security firm malwarebytes said that The use of stalkerware is decliningAccording to its own data of customers infected with this type of software. Also, Galperin Reports see an increase in negative reviews of these apps, with customers or prospective customers complaining them to work as intended.
But, Galperin Said That It’s Possible That Security Firms are as good at detecting stalkerware as they used to be, or stalkers have moved from Software-Based SOFTWARE-BASED SOTWARELENCE to phy Survelance enabled by Airtags and other bleetooth-enabled trackers.
“Stalkerware does not exist in a vacuum. Stalkerware is part of a whole world of tech-enabled abuse, “Galperin said.
Say no to stalkerware
Using spyware to monitor your loved only is not only Unethical, IT’s also Illegal in Most Jurisdictions, as it’s considered unlawful surveillance.
That is already a significant reason not to use stalkerware. Then there is the issue that stalkerware makers have proven time and time against that they cannot keep data secure – Neither data belonging to the customers or his victims or targets.
Apart from spying on romantic partners and spouses, some people use stalkerware apps to monitor their child. While this type of use, at least in the united states, is legal, it doesn’t meaning using stalkerware to snoop on your kids’ Phone isn’t creepy and unethical.
Even if it’s lawful, Galperin Thinks parents should not spy on their child
If parents do inform their child and get their go-ahead, parents should stay away from insecure and untrustworthy stalkerware apps and use parental tracking tools Built Into Apple Phones and Tablets and Android devices That are safer and operate overloy.
Recap of breaches and leaks
Here’s the complete list of stalkerware companes
Updated on February 27, 2025, to include spyzie as the latest Buggy Stalkerware App.
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) Provides 24/7 Free, Confidential Support to Victims of Domestic Abuse and VIOLEENCE. If you are in an emergency situation, call 911. The Coalition against Stalkerware Has Resources if you think your phone has been compromised by spyware.