Hacked, leaked, exposed: Why you should never use stalkerware apps

Lorenzo Franceschi-Bicchierai

Updated 25 July 2024 at 2:32 pm·9-min read

There is a whole shady industry for people who want to monitor and spy on their families. Multiple app makers market their software — sometimes referred to as stalkerware — to jealous partners who can use these apps to access their victims’ phones remotely.

Yet, despite how sensitive this data is, an increasing number of these companies are losing huge amounts of it.

According to TechCrunch’s tally, counting the latest hack on Spytech, there have been at least 21 stalkerware companies since 2017 that are known to have been hacked, or leaked customer and victims’ data online. That’s not a typo: At least 21 stalkerware companies have either been hacked or had a significant data exposure in recent years. And four stalkerware companies were hacked multiple times.

In 2024 alone, there have been at least four massive stalkerware hacks. The most recent breach affected Spytech, a little-known spyware maker based in Minnesota, which exposed activity logs from the phones, tablets, and computers monitored with its spyware. Before that, there was a breach at mSpy, one of the longest-running stalkerware apps, which exposed millions of customer support tickets, which included the personal data of millions of its customers.

Previously, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale. The hacker then stole and leaked the company’s internal data. They also defaced pcTattletale’s official website with the goal of embarrassing the company. The hacker referred to a recent TechCrunch article where we reported pcTattletale was used to monitor several front desk check-in computers at a U.S. hotel chain.

As a result of this hack, leak and shame operation, pcTattletale founder Bryan Fleming said he was shutting down his company.

Consumer spyware apps like mSpy and pcTattletale are commonly referred to as "stalkerware" (or spouseware) because jealous spouses and partners use them to surreptitiously monitor and surveil their loved ones. These companies often explicitly market their products as solutions to catch cheating partners by encouraging illegal and unethical behavior. And there have been multiple court cases, journalistic investigations and surveys of domestic abuse shelters that show that online stalking and monitoring can lead to cases of real-world harm and violence.

And that’s why hackers have repeatedly targeted some of these companies.

Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a leading researcher and activist who has investigated and fought stalkerware for years, said the stalkerware industry is a “soft target.”

“The people who run these companies are perhaps not the most scrupulous or really concerned about the quality of their product,” Galperin told TechCrunch.

Given the history of stalkerware compromises, that may be an understatement. And because of the lack of care for protecting their own customers — and consequently the personal data of tens of thousands of unwitting victims — using these apps is doubly irresponsible. The stalkerware customers may be breaking the law, abusing their partners by illegally spying on them, and, on top of that, putting everyone’s data in danger.

A history of stalkerware hacks

The flurry of stalkerware breaches began in 2017 when a group of hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy back to back. Those two hacks revealed that the companies had a total number of 130,000 customers all over the world.

At the time, the hackers who — proudly — claimed responsibility for the compromises explicitly said their motivations were to expose and hopefully help destroy an industry that they consider toxic and unethical.

“I’m going to burn them to the ground, and leave absolutely nowhere for any of them to hide,” one of the hackers involved then told Motherboard.

Referring to FlexiSpy, the hacker added: “I hope they’ll fall apart and fail as a company, and have some time to reflect on what they did. However, I fear they might try and give birth to themselves again in a new form. But if they do, I’ll be there.”

Despite the hack, and years of negative public attention, FlexiSpy is still active today. The same cannot be said about Retina-X.

The hacker who broke into Retina-X wiped its servers with the goal of hampering its operations. The company bounced back — and then it got hacked again a year later. A couple of weeks after the second breach, Retina-X announced that it was shutting down.

Just days after the second Retina-X breach, hackers hit Mobistealth and Spy Master Pro, stealing gigabytes of customer and business records, as well as victims’ intercepted messages and precise GPS locations. Another stalkerware vendor, the India-based SpyHuman, encountered the same fate a few months later, with hackers stealing text messages and call metadata, which contained logs of who called who and when.

Weeks later, there was the first case of accidental data exposure, rather than a hack. SpyFone left an Amazon-hosted S3 storage bucket unprotected online, which meant anyone could see and download text messages, photos, audio recordings, contacts, location, scrambled passwords and login information, Facebook messages and more. All that data was stolen from victims, most of whom did not know they were being spied on, let alone know their most sensitive personal data was also on the internet for all to see.

Other stalkerware companies that over the years have irresponsibly left customer and victims’ data online are FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easy-to-find password; mSpy, which leaked over 2 million customer records in 2018; Xnore, which let any of its customers see the personal data of other customers’ targets, which included chat messages, GPS coordinates, emails, photos and more; MobiiSpy, which left 25,000 audio recordings and 95,000 images on a server accessible to anyone; KidsGuard, which had a misconfigured server that leaked victims’ content; pcTattletale, which prior to its hack also exposed screenshots of victims’ devices uploaded in real time to a website that anyone could access; and Xnspy, whose developers left credentials and private keys left in the apps’ code, allowing anyone to access victims’ data.

As far as other stalkerware companies that actually got hacked, there was Copy9, which saw a hacker steal the data of all its surveillance targets, including text messages and WhatsApp messages, call recordings, photos, contacts and browser history; LetMeSpy, which shut down after hackers breached and wiped its servers; the Brazil-based WebDetetive, which also got its servers wiped, and then hacked again; OwnSpy, which provides much of the back-end software for WebDetetive, also got hacked; Spyhide, which had a vulnerability in its code that allowed a hacker to access the back-end databases and years of stolen around 60,000 victims’ data; Oospy, which was a rebrand of Spyhide, shut down for a second time; and the latest mSpy hack, which is unrelated to the previously mentioned leak.

Finally there is TheTruthSpy, a network of stalkerware apps, which holds the dubious record of having been hacked or having leaked data on at least three separate occasions.

Hacked, but unrepented

Of these 21 stalkerware companies, eight have shut down, according to TechCrunch’s tally.

In a first and so far unique case, the Federal Trade Commission banned SpyFone and its chief executive, Scott Zuckerman, from operating in the surveillance industry following an earlier security lapse that exposed victims’ data. Another stalkerware operation linked to Zuckerman, called SpyTrac, subsequently shut down following a TechCrunch investigation.

PhoneSpector and Highster, another two companies that are not known to have been hacked, also shut down after New York’s attorney general accused the companies of explicitly encouraging customers to use their software for illegal surveillance.

But a company closing doesn’t mean it’s gone forever. As with Spyhide and SpyFone, some of the same owners and developers behind a shuttered stalkerware maker simply rebranded.

“I do think that these hacks do things. They do accomplish things, they do put a dent in it,” Galperin said. “But if you think that if you hack a stalkerware company, that they will simply shake their fists, curse your name, disappear in a puff of blue smoke and never be seen again, that has most definitely not been the case.”

“What happens most often, when you actually manage to kill a stalkerware company, is that the stalkerware company comes up like mushrooms after the rain,” Galperin added.

There is some good news. In a report last year, security firm Malwarebytes said that the use of stalkerware is declining, according to its own data of customers infected with this type of software. Also, Galperin reports seeing an increase in negative reviews of these apps, with customers or prospective customers complaining they don’t work as intended.

But, Galperin said that it’s possible that security firms aren’t as good at detecting stalkerware as they used to be, or stalkers have moved from software-based surveillance to physical surveillance enabled by AirTags and other Bluetooth-enabled trackers.

“Stalkerware does not exist in a vacuum. Stalkerware is part of a whole world of tech-enabled abuse,” Galperin said.

Say no to stalkerware

Using spyware to monitor your loved ones is not only unethical, it’s also illegal in most jurisdictions, as it’s considered unlawful surveillance.

That is already a significant reason not to use stalkerware. Then there is the issue that stalkerware makers have proven time and time again that they cannot keep data secure — neither data belonging to the customers nor their victims or targets.

Apart from spying on romantic partners and spouses, some people use stalkerware apps to monitor their children. While this type of use, at least in the United States, is legal, it doesn’t mean using stalkerware to snoop on your kids’ phone isn’t creepy and unethical.

Even if it’s lawful, Galperin thinks parents should not spy on their children without telling them, and without their consent.

If parents do inform their children and get their go-ahead, parents should stay away from insecure and untrustworthy stalkerware apps, and use parental tracking tools built into Apple phones and tablets and Android devices that are safer and operate overtly.

Recap of breaches and leaks

Here’s the complete list of stalkerware companies that have been hacked or have leaked sensitive data since 2017, in chronological order:

Retina-X (2017, 2018)
FlexiSpy (2017)
Mobistealth (2018)
Spy Master Pro (2018)
SpyHuman (2018)
SpyFone (2018)
FamilyOrbit (2018)
mSpy (2018, 2024)
Xnore (2018)
Copy9 (2018)
MobiiSpy (2019)
KidsGuard (2020)
pcTattletale (2021)
Xnspy (2022)
Spyhide (2023)
TheTruthSpy (2021, 2022, 2023, 2024)
LetMeSpy (2023)
WebDetetive (2023, 2024)
OwnSpy (2023)
Oospy (2023)
Spytech (2024)

Updated on July 25 to include Spytech as the latest spyware to be breached.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.

Yahoo News Australia
Drivers warned of dangerous road act as 31,000 caught by new cameras
One state rolling out new detection technology has shown alarming results in its first month.
South China Morning Post
Chinese AI start-up Baichuan raises US$700 million from Alibaba, Tencent, Xiaomi
Baichuan AI, one of China's four so-called artificial intelligence (AI) tigers, raised about 5 billion yuan (US$687.6 million) in a new funding round that valued the start-up at more than 20 billion yuan, the company said on Thursday. The Beijing-based firm's latest round was backed by some of the biggest names in Chinese technology, including Alibaba Group Holding, Tencent Holdings and Xiaomi, along with some state-backed funds. Alibaba owns the South China Morning Post. China International Cap
South China Morning Post
Huawei plans tri-fold smartphone as Apple weighs foldable iPhone, reports say
The foldable smartphone market is set for a big boost amid reports that Apple is preparing a clamshell-style model, while Huawei Technologies may soon launch a tri-folding handset. Apple's top-down folding iPhone could come as early as 2026, according to a report by The Information on Wednesday. The US tech giant has reached out to Asian suppliers in recent months to make components for its first foldable handset, according to the report, citing anonymous sources. This would mark Apple's entry i
Fortune
OpenAI’s new SearchGPT takes aim at Google in the battle for AI search dominance. But will it win the war?
OpenAI’s launch of SearchGPT was a warning shot in the ongoing war to challenge Google and drive out AI upstarts like Perplexity.
Yahoo News UK
Company hires 'remote worker' who turns out to be North Korean hacker
A tech firm that hired a remote-working engineer for an IT team was shocked to discover that the ‘American’ worker was a North Korean hacker using a VPN.
Reuters
Apple's China smartphone shipments drop 6.7% as Huawei surges, data shows
BEIJING (Reuters) -Apple's smartphone shipments in China fell by 6.7% in the second quarter of 2024, as the tech giant faced intensifying competition from rivals like Huawei, according to data from market research firm Canalys. Apple's total shipments for the quarter ending in June stood at 9.7 million units, down from 10.4 million units in the same quarter last year, Canalys data shows. In contrast, Huawei's smartphone shipments surged 41% year-on-year to 10.6 milion in the quarter, bolstered by the launch of its new Pura 70 series in April.
Sky News
£7.7 million bounty offered in hunt for members of North Korea-backed hacking group
The UK, US and South Korea have accused a North Korea-backed cyber group of carrying out an online espionage campaign to steal military and nuclear secrets. The "Andariel" group has been compromising organisations around the globe as it attempts to get hold of sensitive and classified technical information and intellectual property data, according to the UK's National Cyber Security Centre (NCSC). The centre, along with the FBI in the US and South Korea's national intelligence service, have issued a joint warning and advisory note about Andariel's actions.
HuffPost
Stephen Colbert Taunts Trump With Absolutely Brutal Reminder About Melania
The "Late Show" host mocked the former president over one curious claim.
Yahoo News Australia
Passengers slammed over 'disturbing' train act attracting $500 fine
Commuters were noticeably annoyed by the disturbance, one man told Yahoo, and were 'shifting away' from the men in question.
HuffPost
'Trump Is Chicken': Critics Taunt 'Scared' Trump For Bailing On Debate
The former president put debate plans on pause, and critics are calling him out over it.
BuzzFeed
Kamala Harris' Press Release About Donald Trump's Fox News Appearance Is Going Viral
"Something about the question mark after 'old and quite weird' is taking me out."
Yahoo Sport Australia
Tennis world erupts over massive news about Novak Djokovic and Rafa Nadal at Olympics
Rafa Nadal has left the tennis world stunned. Find out more here.
NewsWire
Why Aussies being turned away from Bali
Hundreds of Aussie tourists are being denied entry into Indonesia’s island paradise for one reason.
NY Daily News
Harris campaign roasts Trump as ‘old and quite weird’ after Fox News insults
Republican presidential candidate Donald Trump called in to Fox News Thursday, where he told supporters that presumptive Democratic nominee Kamala Harris is a “radical left, not very smart person” who’s part of a massive conspiracy to weaponize the nation’s legal system against him. Harris’ campaign fired back mere minutes later with an email blasting the “78-year-old convicted criminal’s Fox ...
BuzzFeed
18 Famous "Childless Cat Ladies" And Their Thoughtful Reasons For Never Having Kids
Don't show this post to JD Vance.
Yahoo News Australia
Eerie dashcam footage captures ‘rare’ sight on Aussie highway
It's barely noticeable at first glance, but it could cost you your life – or at least a hefty repair bill – if you collide with it.
Evening Standard
FBI director suggests Donald Trump may not have been struck by bullet during assassination attempt at rally
FBI director Christopher Wray said investigators did not know whether Trump’s ear was grazed by a bullet or shrapnel
Hello!
Amanda Holden stuns in mini dress alongside lookalike daughters during Greek getaway
BGT judge Amanda Holden looked flawless as she holidayed with her mini-me daughters Lexi and Hollie. Take a look inside their lavish Greek getaway…
Parade
Nicole Scherzinger Sizzles in See-Thru Lace Dress With Risqué Chest Cutout in the French Riviera
The Pussycat Dolls singer showed off the racy look in spicy new social media snaps.
The Independent
Passenger refuses to let mother and child sit in her plane seat by providing controversial reason
‘As a very tall and big man, I have had this happen more than a few times,’ one commenter related to the Reddit post

A history of stalkerware hacks

Hacked, but unrepented

Say no to stalkerware

Recap of breaches and leaks

Latest stories