A shadowy industry exists for people who want to monitor and spy on their families. Multiple app makers promote software often called stalkerware to jealous partners, who can use these apps to remotely access their victims’ phones. Yet, despite the sensitivity of this personal data, an increasing number of these companies are losing huge amounts of it.
According to an ongoing tally, including the most recent data spill involving uMobix, there have been at least 27 stalkerware companies since 2017 known to have been hacked or to have leaked customer and victim data online. That is not a typo. Dozens of stalkerware companies have either been hacked or had a significant data exposure in recent years. At least four have been hacked multiple times.
The makers of uMobix and associated mobile tracking apps, like Geofinder and Peekviewer, are the latest stalkerware provider to expose sensitive customer data. A hacktivist scraped the payment information of more than 500,000 customers and published it online. The hacktivist said they did this to target stalkerware apps, following in the footsteps of groups who broke into Retina-X and FlexiSpy almost a decade ago.
The uMobix data leak comes after last year’s breach of Catwatchful, which compromised the phone data of at least 26,000 victims. Catwatchful was just one of several stalkerware incidents in 2025, which included SpyX, and the data exposures of Cocospy, Spyic, and Spyzie surveillance operations. These incidents left messages, photos, call logs, and other personal and sensitive data of millions of victims exposed online, according to a security researcher who found a bug that allowed access to that data.
Prior to 2025, there were at least four massive stalkerware hacks in 2024. The last stalkerware breach in 2024 affected Spytech, a little-known spyware maker based in Minnesota, which exposed activity logs from the phones, tablets, and computers monitored with its spyware. Before that, a breach at mSpy, one of the longest-running stalkerware apps, exposed millions of customer support tickets, which included the personal data of millions of customers.
Previously, an unknown hacker broke into the servers of the U.S.-based stalkerware maker pcTattletale. The hacker stole and leaked the company’s internal data and defaced its official website to embarrass the company. The hacker referenced a report where pcTattletale was used to monitor several front desk check-in computers at a U.S. hotel chain. As a result, pcTattletale founder Bryan Fleming said he was shutting down his company. Earlier this year, Fleming pled guilty to charges of computer hacking, the sale and advertising of surveillance software for unlawful uses, and conspiracy.
Consumer spyware apps like uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are commonly called stalkerware because jealous spouses and partners use them to surreptitiously monitor their loved ones. These companies often explicitly market their products as solutions to catch cheating partners by encouraging illegal and unethical behavior. Multiple court cases, media investigations, and surveys of domestic abuse shelters show that online stalking and monitoring can lead to real-world harm and violence.
That is partly why hackers have repeatedly targeted some of these companies. Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, said the stalkerware industry is a soft target. She stated that the people who run these companies are perhaps not the most scrupulous or concerned about the quality of their product. Given the history of compromises, that may be an understatement. Because of the lack of care for protecting their own customers, and consequently the personal data of tens of thousands of unwitting victims, using these apps is doubly irresponsible. The customers may be breaking the law, abusing their partners, and putting everyone’s data in danger.
The flurry of stalkerware breaches began in 2017 when hackers breached the U.S.-based Retina-X and the Thailand-based FlexiSpy back to back. Those hacks revealed the companies had a total of 130,000 customers worldwide. The hackers claimed responsibility, saying their motivation was to expose and help destroy an industry they consider toxic and unethical. One hacker involved said they wanted to burn them to the ground.
Despite the hack and years of negative attention, FlexiSpy is still active today. The same cannot be said about Retina-X. The hacker who broke into Retina-X wiped its servers to hamper its operations. The company bounced back, only to be hacked again a year later. A couple of weeks after the second breach, Retina-X announced it was shutting down.
Just days after the second Retina-X breach, hackers hit Mobistealth and SpyMaster Pro, stealing gigabytes of customer and business records, as well as victims’ intercepted messages and precise GPS locations. Another vendor, India-based SpyHuman, encountered the same fate a few months later, with hackers stealing text messages and call metadata.
Weeks later, there was the first case of accidental data exposure, rather than a hack. SpyFone left an Amazon-hosted storage bucket unprotected online, meaning anyone could view and download text messages, photos, audio recordings, contacts, location data, scrambled passwords, Facebook messages, and more. All that data was stolen from victims who did not know they were being spied on.
Apart from uMobix, other stalkerware companies that have irresponsibly left customer and victim data online include FamilyOrbit, which left 281 gigabytes of personal data online protected only by an easy-to-find password; mSpy, which leaked over 2 million customer records in 2018; Xnore, which let any customer see the personal data of other customers’ targets; and MobiiSpy, which left 25,000 audio recordings and 95,000 images on a server accessible to anyone.
The list continues. KidsGuard in 2020 had a misconfigured server that leaked victims’ content. pcTattletale, prior to its 2024 hack, exposed screenshots of victims’ devices uploaded in real-time to a publicly accessible website. Xnspy had credentials and private keys left in the apps’ code, allowing access to victims’ data. Spyzie, Cocospy, and Spyic left victims’ messages, photos, call logs, and other personal data, as well as customers’ email addresses, exposed online. Catwatchful exposed the full database of customer email addresses and plaintext passwords.
Regarding other stalkerware companies that were actually hacked, apart from SpyX in 2025, there was Copy9, where a hacker stole the data of all its surveillance targets. LetMeSpy shut down after hackers breached and wiped its servers. The Brazil-based WebDetetive also had its servers deleted and then hacked again. There was also OwnSpy, which provides back-end software for WebDetetive and was hacked. Spyhide had a vulnerability that allowed a hacker to access back-end databases and years of data on around 60,000 victims. Oospy, a rebrand of Spyhide, shut down for a second time. Finally, there is TheTruthSpy, a network of stalkerware apps that holds the dubious record of having been hacked or having leaked data on at least three separate occasions.
Of these 27 stalkerware companies, eight have shut down. In a unique case, the Federal Trade Commission banned SpyFone and its chief executive from operating in the surveillance industry following a security lapse. Another linked operation called SpyTrac shut down following an investigation. Last year, the FTC upheld its ban on that executive.
PhoneSpector and Highster, two stalkerware apps not known to have been hacked, also shut down after New York’s attorney general accused them of explicitly encouraging illegal surveillance. But a company closing does not mean it is gone forever. As with Spyhide and SpyFone, some owners and developers behind shuttered stalkerware makers simply rebranded.
Eva Galperin said that while hacks put a dent in these companies, they often reappear. She noted that when you manage to kill a stalkerware company, it often comes back like mushrooms after the rain.
There is some good news. A 2023 report from security firm Malwarebytes said the use of stalkerware is declining according to its data. Also, Galperin reports an increase in negative reviews of these apps, with customers complaining they do not work as intended. But, Galperin said it is possible security firms are not as good at detecting stalkerware, or stalkers have moved to physical surveillance enabled by Bluetooth trackers. She emphasized that stalkerware is part of a whole world of tech-enabled abuse.
Using spyware to monitor your loved ones is not only unethical, it is also illegal in most jurisdictions, as it is considered unlawful surveillance. That is a significant reason not to use stalkerware. Then there is the issue that stalkerware makers have proven time and again they cannot keep data secure, neither customer data nor victim data.
Apart from spying on romantic partners, some people use stalkerware apps to monitor their children. While this use is legal in the United States, it can still be creepy and unethical. Even if used lawfully, Galperin thinks parents should not spy on their children without telling them and without their consent. If parents do inform their children, they should stay away from insecure stalkerware apps and use the safer, overt parental tracking tools built into Apple and Android devices.