There’s a complete shady business for individuals who wish to monitor and spy on their households. A number of app makers market their software program — typically known as stalkerware — to jealous companions who can use these apps to entry their victims’ telephones remotely.
But, regardless of how delicate this knowledge is, an rising variety of these firms are dropping big quantities of it.
In keeping with information.killnetswitch’s tally, counting the most recent knowledge leak of Spyzie, which comes shortly after the information exposures of Cocospy and Spyic, there have been not less than 24 stalkerware firms since 2017 which can be identified to have been hacked, or leaked buyer and victims’ knowledge on-line. That’s not a typo: No less than 24 stalkerware firms have both been hacked or had a major knowledge publicity lately. And 4 stalkerware firms had been hacked a number of instances.
Spyzie, Cocospy, and Spyic are the primary stalkerware firms in 2025 to have inadvertently uncovered delicate knowledge. The 2 surveillance operations left messages, photographs, name logs, and different private and delicate knowledge of tens of millions of victims uncovered on-line, in accordance with a security researcher who discovered a bug that allowed them to entry that knowledge.
The makers of Spyzie uncovered 518,643 distinctive electronic mail addresses of their clients. Within the case of Cocospy, the corporate leaked 1.81 million buyer electronic mail addresses, and Spyic leaked 880,167 buyer electronic mail addresses. That’s a complete of greater than 3.2 million electronic mail addresses, after eradicating duplicate addresses that appeared in each breaches, in accordance with an evaluation by Troy Hunt, who runs data breach notification web site Have I Been Pwned.
In 2024, there have been not less than 4 large stalkerware hacks. The final stalkerware breach in 2024 affected Spytech, a little-known spyware and adware maker primarily based in Minnesota, which uncovered exercise logs from the telephones, tablets, and computer systems monitored with its spyware and adware. Earlier than that, there was a breach at mSpy, one of many longest-running stalkerware apps, which uncovered tens of millions of buyer assist tickets, which included the private knowledge of tens of millions of its clients.
Beforehand, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale. The hacker then stole and leaked the corporate’s inside knowledge. In addition they defaced pcTattletale’s official web site with the purpose of embarrassing the corporate. The hacker referred to a current information.killnetswitch article the place we reported pcTattletale was used to watch a number of entrance desk check-in computer systems at a U.S. lodge chain.
Because of this hack, leak and disgrace operation, pcTattletale founder Bryan Fleming stated he was shutting down his firm.
Shopper spyware and adware apps like mSpy and pcTattletale are generally known as “stalkerware” (or spouseware) as a result of jealous spouses and companions use them to surreptitiously monitor and surveil their family members. These firms typically explicitly market their merchandise as options to catch dishonest companions by encouraging unlawful and unethical conduct. And there have been a number of court docket instances, journalistic investigations and surveys of home abuse shelters that present that on-line stalking and monitoring can result in instances of real-world hurt and violence.
And that’s why hackers have repeatedly focused a few of these firms.
Eva Galperin, the director of cybersecurity on the Digital Frontier Basis and a number one researcher and activist who has investigated and fought stalkerware for years, stated the stalkerware business is a “tender goal.”
“The individuals who run these firms are maybe not probably the most scrupulous or actually involved in regards to the high quality of their product,” Galperin advised information.killnetswitch.
Given the historical past of stalkerware compromises, that could be an understatement. And due to the shortage of care for safeguarding their very own clients — and consequently the private knowledge of tens of 1000’s of unwitting victims — utilizing these apps is doubly irresponsible. The stalkerware clients could also be breaking the legislation, abusing their companions by illegally spying on them, and, on prime of that, placing everybody’s knowledge in peril.
A historical past of stalkerware hacks
The flurry of stalkerware breaches started in 2017 when a gaggle of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy again to again. These two hacks revealed that the businesses had a complete variety of 130,000 clients all around the world.
On the time, the hackers who — proudly — claimed duty for the compromises explicitly stated their motivations had been to show and hopefully assist destroy an business that they take into account poisonous and unethical.
“I’m going to burn them to the bottom, and go away completely nowhere for any of them to cover,” one of many hackers concerned then advised Motherboard.
Referring to FlexiSpy, the hacker added: “I hope they’ll crumble and fail as an organization, and have a while to mirror on what they did. Nonetheless, I worry they could try to give start to themselves once more in a brand new kind. But when they do, I’ll be there.”
Regardless of the hack, and years of adverse public consideration, FlexiSpy continues to be energetic at present. The identical can’t be stated about Retina-X.
The hacker who broke into Retina-X wiped its servers with the purpose of hampering its operations. The corporate bounced again — after which it received hacked once more a 12 months later. A few weeks after the second breach, Retina-X introduced that it was shutting down.
Simply days after the second Retina-X breach, hackers hit Mobistealth and Spymaster Professional, stealing gigabytes of buyer and enterprise data, in addition to victims’ intercepted messages and exact GPS places. One other stalkerware vendor, the India-based SpyHuman, encountered the identical destiny a couple of months later, with hackers stealing textual content messages and name metadata, which contained logs of who known as who and when.
Weeks later, there was the primary case of unintended knowledge publicity, fairly than a hack. Spy Fone left an Amazon-hosted S3 storage bucket unprotected on-line, which meant anybody may see and obtain textual content messages, photographs, audio recordings, contacts, location, scrambled passwords and login data, Fb messages, and extra. All that knowledge was stolen from victims, most of whom didn’t know they had been being spied on, not to mention know their most delicate private knowledge was additionally on the web for all to see.
Different stalkerware firms that through the years have irresponsibly left clients’ and victims’ knowledge on-line are Household Orbit, which left 281 gigabytes of non-public knowledge on-line protected solely by an easy-to-find password; mSpy, which leaked over 2 million buyer data in 2018; Xnore, which let any of its clients see the private knowledge of different clients’ targets, which included chat messages, GPS coordinates, emails, photographs, and extra; MobiiSpy, which left 25,000 audio recordings and 95,000 photographs on a server accessible to anybody; KidsGuard, which had a misconfigured server that leaked victims’ content material; pcTattletale, which previous to its hack additionally uncovered screenshots of victims’ gadgets uploaded in actual time to a web site that anybody may entry; and Xnspy, whose builders left credentials and personal keys within the apps’ code, permitting anybody to entry victims’ knowledge; and now Spyzie, Cocospy and Spyic, which left victims’ messages, photographs, name logs, and different private knowledge, in addition to clients’ electronic mail addresses, uncovered on-line.
So far as different stalkerware firms that really received hacked, there was Copy9, which noticed a hacker steal the information of all its surveillance targets, together with textual content messages and WhatsApp messages, name recordings, photographs, contacts, and browser historical past; LetMeSpy, which shut down after hackers breached and wiped its servers; the Brazil-based WebDetetive, which additionally received its servers wiped, after which hacked once more; OwnSpy, which gives a lot of the back-end software program for WebDetetive, additionally received hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to entry the back-end databases and years of stolen knowledge from round 60,000 victims; Oospy, which was a rebrand of Spyhide, shut down for a second time; and the most recent mSpy hack, which is unrelated to the beforehand talked about leak.
Lastly there may be TheTruthSpy, a community of stalkerware apps, which holds the doubtful document of getting been hacked or having leaked knowledge on not less than three separate events.
Hacked, however unrepented
Of those 23 stalkerware firms, eight have shut down, in accordance with information.killnetswitch’s tally.
In a primary and thus far distinctive case, the Federal Commerce Fee banned SpyFone and its chief government, Scott Zuckerman, from working within the surveillance business following an earlier security lapse that uncovered victims’ knowledge. One other stalkerware operation linked to Zuckerman, known as SpyTrac, subsequently shut down following a information.killnetswitch investigation.
PhoneSpector and Highster, one other two firms that aren’t identified to have been hacked, additionally shut down after New York’s legal professional normal accused the businesses of explicitly encouraging clients to make use of their software program for unlawful surveillance.
However an organization closing doesn’t imply it’s gone without end. As with Spyhide and SpyFone, among the identical house owners and builders behind a shuttered stalkerware maker merely rebranded.
“I do assume that these hacks do issues. They do accomplish issues, they do put a dent in it,” Galperin stated. “However should you assume that should you hack a stalkerware firm, that they’ll merely shake their fists, curse your title, disappear in a puff of blue smoke and by no means be seen once more, that has most positively not been the case.”
“What occurs most frequently, once you truly handle to kill a stalkerware firm, is that the stalkerware firm comes up like mushrooms after the rain,” Galperin added.
There may be some excellent news. In a report final 12 months, security agency Malwarebytes stated that the usage of stalkerware is declining, in accordance with its personal knowledge of shoppers contaminated with such a software program. Additionally, Galperin reviews seeing a rise in adverse critiques of those apps, with clients or potential clients complaining they don’t work as meant.
However, Galperin stated that it’s doable that security corporations aren’t pretty much as good at detecting stalkerware as they was, or stalkers have moved from software-based surveillance to bodily surveillance enabled by AirTags and different Bluetooth-enabled trackers.
“Stalkerware doesn’t exist in a vacuum. Stalkerware is an element of a complete world of tech-enabled abuse,” Galperin stated.
Say no to stalkerware
Utilizing spyware and adware to watch your family members shouldn’t be solely unethical, it’s additionally unlawful in most jurisdictions, because it’s thought-about illegal surveillance.
That’s already a major motive to not use stalkerware. Then there may be the problem that stalkerware makers have confirmed time and time once more that they can’t maintain knowledge safe — neither knowledge belonging to the purchasers nor their victims or targets.
Other than spying on romantic companions and spouses, some folks use stalkerware apps to watch their youngsters. Whereas such a use, not less than in the USA, is authorized, it doesn’t imply utilizing stalkerware to snoop in your children’ cellphone isn’t creepy and unethical.
Even when it’s lawful, Galperin thinks dad and mom shouldn’t spy on their youngsters with out telling them and with out their consent.
If dad and mom do inform their youngsters and get their go-ahead, dad and mom ought to keep away from insecure and untrustworthy stalkerware apps and use parental monitoring instruments constructed into Apple telephones and tablets and Android gadgets which can be safer and function overtly.
Recap of breaches and leaks
Right here’s the whole record of stalkerware firms which were hacked or have leaked delicate knowledge since 2017, in chronological order:
Up to date on February 27, 2025, to incorporate Spyzie as the most recent buggy stalkerware app.
When you or somebody you recognize wants assist, the Nationwide Home Violence Hotline (1-800-799-7233) gives 24/7 free, confidential assist to victims of home abuse and violence. In case you are in an emergency state of affairs, name 911. The Coalition Towards Stalkerware has sources should you assume your cellphone has been compromised by spyware and adware.
