Stalkerware: The Risks of Hacked & Leaked Spy Apps

The Growing Problem of Stalkerware Data Breaches

A concerning trend has emerged regarding applications designed for monitoring and surveillance, often utilized by individuals seeking to track family members. Numerous developers actively market software – frequently termed stalkerware – to partners experiencing jealousy, enabling remote access to victims’ mobile devices.

Increasing Data Exposure

Despite the highly sensitive nature of the personal information involved, a growing number of these companies are experiencing substantial data losses. This poses a significant risk to both the individuals using the software and, more importantly, those being monitored.

A History of Hacks and Leaks

Analysis indicates that at least 26 stalkerware companies have been compromised since 2017, resulting in the exposure of customer and victim data online. This figure is not an error; a minimum of 26 companies have either been hacked or suffered a significant data breach in recent years. Notably, four of these companies have been targeted multiple times.

Recent Breaches Highlight the Issue

The latest reported breach involves Catwatchful, with user data dating back to 2018 being exposed. This incident revealed the compromised private phone data of nearly 26,000 victims.

The Catwatchful data leak followed earlier breaches this year affecting SpyX, as well as data exposures from Cocospy, Spyic, and Spyzie. These incidents left messages, photos, call logs, and other sensitive information belonging to millions of victims accessible online, as discovered by a security researcher.

2024 Saw Multiple Incidents

Prior to this year, at least four major stalkerware hacks occurred in 2024. The most recent breach impacted Spytech, a spyware manufacturer located in Minnesota, exposing activity logs from monitored devices. Previously, mSpy, a long-standing stalkerware application, experienced a breach that exposed millions of customer support tickets containing personal data.

pcTattletale Shutdown Following Hack

An unknown attacker infiltrated the servers of U.S.-based pcTattletale, stealing and leaking internal data. The attacker also defaced the company’s website, referencing a TechCrunch article detailing pcTattletale’s use in monitoring computers at a U.S. hotel chain.

Following this incident, pcTattletale’s founder, Bryan Fleming, announced the company’s closure.

The Nature of Stalkerware

Applications like Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are commonly categorized as “stalkerware” or “spouseware” due to their frequent use by jealous spouses and partners to secretly monitor their loved ones.

Ethical and Legal Concerns

These companies often market their products as solutions for detecting infidelity, potentially encouraging illegal and unethical conduct. Investigations, court cases, and surveys of domestic abuse shelters have demonstrated a link between online stalking and real-world harm and violence.

This connection may partially explain the repeated targeting of these companies by hackers.

A "Soft Target" for Hackers

Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation, and a prominent researcher in this field, describes the stalkerware industry as a “soft target.”

Galperin explained to TechCrunch that the individuals running these companies may not prioritize security or product quality.

Irresponsible Use and Data Risk

Considering the history of compromises, this assessment may be an understatement. The lack of diligence in protecting customer data – and consequently, the personal information of countless unsuspecting victims – renders the use of these applications particularly irresponsible. Customers utilizing stalkerware may be violating the law, abusing their partners through illegal surveillance, and simultaneously jeopardizing everyone’s data security.

A Chronicle of Stalkerware Security Breaches

The surge in stalkerware data breaches commenced in 2017, beginning with successive compromises of U.S.-based Retina-X and Thailand-based FlexiSpy. These two incidents collectively exposed data pertaining to a total of 130,000 customers globally.

The individuals responsible for these breaches openly declared their intent was to reveal and ultimately dismantle what they perceived as a harmful and unethical industry.

One hacker involved stated to Motherboard their determination to completely eradicate these companies, leaving them with no possibility of concealment.

Concerning FlexiSpy specifically, the hacker expressed a hope for the company’s failure and a period of introspection regarding their actions. They also vowed to reappear should the company attempt to re-establish itself under a different guise.

Despite facing a significant hack and sustained negative publicity, FlexiSpy continues to operate. However, Retina-X is no longer in business.

Following the initial breach, Retina-X’s servers were deliberately wiped to disrupt operations. The company attempted a recovery, but was subsequently hacked again a year later. Shortly after this second compromise, Retina-X announced its closure.

Almost simultaneously with the second Retina-X breach, Mobistealth and Spy Master Pro were targeted, resulting in the theft of gigabytes of customer and business records. This included intercepted victim communications and precise GPS location data. Similarly, SpyHuman, an India-based stalkerware vendor, experienced a breach a few months later, with hackers gaining access to text messages and call metadata.

Shortly thereafter, an instance of unintentional data exposure occurred, distinct from a direct hack.

SpyFone inadvertently left an Amazon S3 storage bucket unprotected, allowing public access to sensitive data. This included text messages, photos, audio recordings, contacts, location data, compromised passwords, login credentials, and Facebook messages – all stolen from victims unaware they were being monitored, or that their personal information was publicly accessible.

Beyond Catwatchful, numerous stalkerware companies have irresponsibly exposed customer and victim data online. These include FamilyOrbit, which left 281 gigabytes of personal data secured by a readily discoverable password; mSpy, which experienced a leak of over 2 million customer records in 2018; Xnore, which allowed customers to view the personal data of other customers’ targets; and MobiiSpy, which exposed 25,000 audio recordings and 95,000 images on a publicly accessible server. The instances continue with KidsGuard, pcTattletale, Xnspy, Spyzie, Cocospy and Spyic, all of which left victims’ data exposed.

Regarding companies subjected to actual hacks, in addition to SpyX earlier this year, Copy9 suffered a breach resulting in the theft of surveillance target data, including text messages, WhatsApp messages, call recordings, photos, contacts, and browsing history. LetMeSpy ceased operations after a server breach and data wipe. WebDetetive, based in Brazil, experienced a similar fate, with its servers deleted and subsequently hacked again. OwnSpy, a provider of back-end software for WebDetetive, was also compromised. Spyhide had a code vulnerability that allowed access to backend databases, resulting in the theft of data from approximately 60,000 victims. Oospy, a rebrand of Spyhide, shut down for a second time, and mSpy experienced a separate, unrelated hack.

Finally, TheTruthSpy, a network of stalkerware applications, has been compromised or has leaked data on at least three separate occasions, earning it a regrettable distinction.

Compromised, Yet Unremorseful

According to TechCrunch’s assessment, eight out of the twenty-six identified stalkerware businesses have ceased operations.

The Federal Trade Commission took unprecedented action by prohibiting SpyFone and its CEO, Scott Zuckerman, from further involvement in the surveillance sector. This followed a prior data breach that revealed sensitive information belonging to victims. A related stalkerware venture, SpyTrac, was also discontinued after scrutiny from TechCrunch.

PhoneSpector and Highster, two additional companies without reported security breaches, were compelled to shut down after New York’s Attorney General alleged they actively promoted the use of their software for unlawful monitoring.

However, a company’s closure isn’t always permanent. Similar to Spyhide and SpyFone, individuals previously associated with a defunct stalkerware provider often simply rebrand their operations.

“I believe these security breaches have an impact; they achieve results and create setbacks,” stated Galperin. “But the assumption that a hacked stalkerware company will simply express outrage, then vanish completely is demonstrably false.”

Galperin further explained, “The typical outcome when a stalkerware company is effectively shut down is the emergence of new ones, appearing rapidly.”

There are encouraging signs. Malwarebytes, a security company, reported a decline in stalkerware usage in a recent report, based on their own customer infection data. Furthermore, Galperin has observed a rise in negative app reviews, with users and potential buyers expressing dissatisfaction with the software’s functionality.

Nevertheless, Galperin cautioned that security companies might be less effective at identifying stalkerware now, or that perpetrators may have shifted to physical surveillance methods utilizing devices like AirTags and other Bluetooth trackers.

“Stalkerware isn’t an isolated phenomenon. It’s an integral component of a broader landscape of technology-facilitated abuse,” Galperin emphasized.

The Cycle of Rebranding

• Companies often rebrand after being shut down.
• The same individuals are frequently involved in these new ventures.

Trends in Stalkerware

• Declining Usage: Malwarebytes data suggests a decrease in stalkerware infections.
• Negative Reviews: Increasing complaints about app functionality.
• Shift to Physical Surveillance: Potential move towards using trackers like AirTags.

Tech-Enabled Abuse: Stalkerware is part of a larger pattern of abusive behavior facilitated by technology.

Rejecting the Use of Stalkerware

Employing spyware for the purpose of monitoring family members is not merely a question of ethics; it frequently constitutes illegal surveillance under the laws of many regions.

This legal aspect alone provides a compelling reason to abstain from utilizing stalkerware. Furthermore, developers of these applications have repeatedly demonstrated an inability to safeguard data, compromising the security of both users and those being monitored.

The application of stalkerware extends beyond monitoring romantic relationships; some individuals employ it to oversee their children’s activities. While this practice may be legally permissible in certain locations, such as the United States, it doesn’t negate the inherent creepiness and ethical concerns associated with surreptitiously tracking a child’s phone.

Even when usage is within legal boundaries, Eva Galperin argues that parental monitoring should not occur without the child’s knowledge and explicit permission.

Should parents choose to monitor their children with their consent, it is advisable to avoid insecure stalkerware applications. Instead, utilizing the built-in parental control features available on Apple and Android devices offers a safer and more transparent approach.

A Review of Stalkerware Data Breaches and Leaks

The following is a comprehensive listing of stalkerware organizations that have experienced data breaches or leaks since 2017. The information is presented in chronological order for clarity.

• Retina-X (2017, 2018)
• FlexiSpy (2017)
• Mobistealth (2018)
• Spy Master Pro (2018)
• SpyHuman (2018)
• SpyFone (2018)
• Family Orbit (2018)
• mSpy (2018, 2024)
• Xnore (2018)
• Copy9 (2018)
• MobiiSpy (2019)
• KidsGuard (2020)
• pcTattletale (2021, 2024)
• Xnspy (2022)
• Spyhide (2023)
• TheTruthSpy (2018, 2022, 2023, 2024)
• LetMeSpy (2023)
• WebDetetive (2023, 2024)
• OwnSpy (2023)
• Oospy (2023)
• Spytech (2024)
• Cocospy (2025)
• Spyic (2025)
• Spyzie (2025)
• SpyX (2025)
• Catwatchful (2025)

This article was initially published on July 16, 2024, and has been continually updated. The latest addition reflects the security issue recently discovered with Catwatchful.

Seeking Assistance: If you or someone you know is experiencing domestic violence, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential support. In immediate danger, please dial 911.

The Coalition Against Stalkerware provides valuable resources for individuals concerned about potential spyware compromise on their devices.