There is a whole shady industry for people who want to monitor and spy on their families. Multiple app makers promote and advertise their software — often referred to as stalkerware — to jealous partners who can use these apps to access their victims’ phones remotely. Yet, despite how sensitive this personal data is, an increasing number of these companies are losing huge amounts of it.

A History of Stalkerware Breaches

According to TechCrunch’s ongoing tally, including the most recent data spill involving uMobix, there have been at least 27 stalkerware companies since 2017 that are known to have been hacked or leaked customer and victims’ data online. That’s not a typo. Dozens of stalkerware companies have either been hacked or had a significant data exposure in recent years. Alarmingly, at least four stalkerware companies were hacked multiple times, which highlights the ongoing risks to personal privacy.

The makers of uMobix and associated mobile tracking apps, like Geofinder and Peekviewer, are the latest stalkerware providers to expose sensitive customer data, after a hacktivist scraped the payment information of more than 500,000 customers and published it online. The hacktivist said this was intended as a way to go after stalkerware apps, following the steps of two groups of hacktivists that broke into Retina-X and FlexiSpy almost a decade ago.

The uMobix data leak comes after last year’s breach of Catwatchful, which compromised the phone data of at least 26,000 victims. Catwatchful was only one of several stalkerware incidents in 2025, which included SpyX and the data exposures of Cocospy, Spyic, and Spyzie surveillance operations. These events left messages, photos, call logs, and other personal data of millions of victims exposed online. According to a security researcher, bugs in these apps allowed easy access to this data.

Before 2025, several large-scale stalkerware hacks occurred in 2024. The last breach that year affected Spytech, a Minnesota-based spyware maker, which exposed activity logs from phones, tablets, and computers. Before that, mSpy, one of the longest-running stalkerware apps, exposed millions of customer support tickets, including personal data. An unknown hacker also broke into pcTattletale’s servers, stole and leaked internal data, and defaced the official website. After this, pcTattletale’s founder announced the shutdown of the company.

Why Stalkerware Fails to Keep Data Safe

Consumer spyware apps like uMobix, Catwatchful, SpyX, Cocospy, mSpy, and pcTattletale are often called “stalkerware” (or spouseware) because jealous spouses and partners use them to secretly surveil their loved ones. These companies explicitly market their products as tools to catch cheating partners, encouraging illegal and unethical behavior. Multiple court cases, media investigations, and surveys of domestic abuse shelters show that online stalking can escalate to real-world harm and violence.

That is in part why hackers have repeatedly targeted these companies. Eva Galperin, cybersecurity director at the Electronic Frontier Foundation, called the stalkerware industry a “soft target.” According to her, many people running these companies are not especially concerned about the product’s quality or security. Given the repeated history of data compromises, their lack of care for both customers and victims is obvious. Users are not only breaking the law and abusing partners, but they are also placing everyone’s data in danger.

High-profile stalkerware breaches began in 2017 with hacks on Retina-X and Thailand-based FlexiSpy. Those attacks revealed 130,000 customers worldwide. The hackers’ goal was to expose and hopefully destroy what they saw as a toxic, unethical industry. Retina-X could not recover after repeated attacks, while FlexiSpy continues to operate.

After those early incidents, a cascade of other breaches followed. For example, Mobistealth, Spy Master Pro, SpyHuman, and SpyFone all experienced significant data exposures. In some cases, companies left cloud storage exposed, making it easy for outsiders to download text messages, photos, call logs, and other private information. FamilyOrbit, mSpy, Xnore, MobiiSpy, KidsGuard, Xnspy, and TheTruthSpy had similar problems, often caused by poor coding or misconfigured servers.

Many companies are repeat offenders. For instance, TheTruthSpy has been hacked or leaked data at least three separate times. Hackers have also targeted apps like LetMeSpy, WebDetetive, OwnSpy, Spyhide, Oospy, and more, taking data from tens of thousands of devices, including text messages, location data, phone calls, and passwords.

Despite these numerous breaches, just eight out of 27 known stalkerware companies have shut down. While the U.S. Federal Trade Commission banned SpyFone and its CEO from operating in the surveillance industry, some shuttered companies simply rebranded and continued business as usual.

There is some positive news. Security firm Malwarebytes reported in 2023 that the use of stalkerware is declining. Furthermore, there are increasing negative reviews from customers who find these apps unreliable. However, security researchers caution that some surveillance may now involve physical trackers, like AirTags, rather than traditional software.

Using spyware to monitor loved ones is not only unethical but illegal in most countries, as it constitutes unlawful surveillance. These companies have repeatedly shown they cannot keep data secure — neither their customers’ nor their victims’. Even parents using stalkerware to track children should avoid untrustworthy apps and instead use parental control features built into iPhone or Android devices.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) is available 24/7 for free and confidential support. If you suspect your phone is compromised by spyware, the Coalition Against Stalkerware offers resources at https://stopstalkerware.org/.

Tags: stalkerware, privatësia, hakime, siguria dixhitale, aplikacione të paligjshme, rrjedhje të dhënash