27 Stalkerware Companies Hacked: The Security Disaster You Should Know About
The stalkerware industry has a security problem. Actually, it has 27 security problems—that’s how many companies in this space have been hacked or leaked sensitive data since 2017. The latest victim, uMobix, exposed payment information for over 500,000 customers after a hacktivist scraped their systems.
The Core Insight
The pattern is damning. Stalkerware companies—apps marketed for “monitoring” partners and family members—have repeatedly failed to protect the very data they’re designed to steal. FlexiSpy and Retina-X were hit back-to-back in 2017. TheTruthSpy has been compromised four separate times. SpyFone left an Amazon S3 bucket unprotected, exposing text messages, photos, audio recordings, and Facebook messages of people who never knew they were being surveilled.
“The people who run these companies are perhaps not the most scrupulous or really concerned about the quality of their product,” notes Eva Galperin, EFF’s director of cybersecurity. Given the track record, that’s diplomatic.
The hackers targeting these companies are often explicit about their motivations. The 2017 attackers said they wanted to “burn them to the ground.” One stated: “I hope they’ll fall apart and fail as a company, and have some time to reflect on what they did.”
But killing a stalkerware company doesn’t kill stalkerware. When one shuts down, Galperin observes, others “come up like mushrooms after the rain.” Spyhide became Oospy. SpyFone operators simply rebranded. The FTC’s ban on SpyFone founder Scott Zuckerman was upheld just last December.
Why This Matters
The dual harm here is worth examining carefully. Victims are surveilled by the stalkerware’s intended function—their messages, photos, and locations harvested without consent. Then they’re victimized again when that data leaks because the company storing it couldn’t be bothered with basic security.
For security professionals, the stalkerware ecosystem is a case study in misaligned incentives. These companies attract customers who want secrecy, which means the companies themselves operate in shadows. That makes responsible security practices unlikely and regulatory oversight difficult.
The technology isn’t particularly sophisticated. Many exposures came from misconfigured cloud storage, hardcoded credentials in app code, or simple authentication bypasses. The Catwatchful breach exposed plaintext passwords. pcTattletale was leaking screenshots in real-time to a publicly accessible website before it was even “hacked.”
Key Takeaways
- 27 companies breached since 2017: At least four were compromised multiple times
- Hacktivism works, sort of: Eight companies have shut down, including several after hacks
- FTC took action once: SpyFone’s founder is now banned from the surveillance industry
- Data exposure is dual-harm: Both customers and victims have their information leaked
- Detection may be declining: Malwarebytes reports declining stalkerware numbers, but that might reflect worse detection rather than less usage
- Physical tracking evolved: AirTags and Bluetooth trackers have partially replaced software-based stalking
Looking Ahead
The stalkerware problem isn’t getting solved by hacks alone. Even as companies shut down, new ones emerge. The fundamental dynamics—jealous partners willing to pay for surveillance, minimal regulatory enforcement, easy-to-build spyware—haven’t changed.
For individuals concerned about their devices: check for stalkerware indicators, use built-in parental controls if monitoring children (with their knowledge), and understand that any “secret” monitoring app probably has terrible security.
The broader lesson for the security community: when your business model depends on operating in the shadows, sunlight doesn’t just expose the business—it exposes everyone whose data you touched.
Based on analysis of Hacked, leaked, exposed: Why you should never use stalkerware apps – TechCrunch
Tags: privacy, stalkerware, security-breaches, hacktivism, surveillance