Stalkerware Industry Plagued by Repeated Data Breaches, Exposing Victims and Abusers Alike Since 2017, at least 27 stalkerware companies apps marketed to jealous partners for covert surveillance have suffered hacks or major data leaks, exposing sensitive information from both customers and unwitting victims. The latest breach involves uMobix, whose payment data for over 500,000 customers was scraped and published online by a hacktivist targeting the industry’s unethical practices. ### A Pattern of Negligence and Exploitation Stalkerware apps like uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale enable illegal surveillance, often marketed as tools to "catch cheating partners." Yet their poor security has repeatedly led to massive data exposures, including: - Messages, photos, call logs, and GPS locations of victims. - Customer payment details, support tickets, and login credentials. - Real-time screenshots and audio recordings from monitored devices. In 2025 alone, Catwatchful, SpyX, Cocospy, Spyic, and Spyzie all suffered breaches, exposing millions of victims’ data. The trend extends back years, with mSpy (2024), Spytech (2024), and pcTattletale (2024) among the most high-profile cases. pcTattletale’s founder, Bryan Fleming, later pled guilty to hacking and unlawful surveillance charges after the company’s shutdown. ### Hacktivists vs. Stalkerware: A Decade of Disruption The first major stalkerware breaches occurred in 2017, when hackers targeted Retina-X and FlexiSpy, exposing 130,000 customers and wiping servers in an effort to dismantle the industry. Despite these attacks, many companies rebranded or persisted FlexiSpy remains active today, while others like Spyhide and TheTruthSpy have been hacked multiple times. Some breaches were accidental, like SpyFone’s 2018 leak of an unsecured Amazon S3 bucket containing texts, photos, and passwords. Others were deliberate acts of sabotage, such as the hacker who defaced pcTattletale’s website and leaked internal data after the app was used to monitor hotel check-in systems. ### Legal and Ethical Fallout While eight stalkerware companies have shut down due to breaches or legal action, others rebrand and resurface. The FTC banned SpyFone and its CEO in 2021 after a data exposure, and New York’s attorney general forced PhoneSpector and Highster to close for promoting illegal surveillance. Security experts, including Eva Galperin of the Electronic Frontier Foundation, note that stalkerware companies are "soft targets" due to their lax security and unethical business models. Even when apps are used "legally" (e.g., parental monitoring), their inherent insecurity puts all users at risk. ### A Declining but Persistent Threat While Malwarebytes reported a decline in stalkerware detections in 2023, experts warn that abusers may be shifting to physical tracking (e.g., AirTags) or harder-to-detect methods. The industry’s history of breaches, rebranding, and legal evasion suggests the problem remains far from resolved.

A hacker has broken into two consumer spyware companies. Firms that sell malware to everyday people, sometimes with the explicit intent of illegally spying on spouses or lovers and provided a large cache of data to Motherboard. The data includes gigabytes of customer records, apparent business information, and alleged intercepted messages of some people targeted by the malware. Once installed on a smartphone the attacker has physical access to Facebook chats and messages from a slew of other apps It can also track target’s GPS location.