500,000 Stalkerware Users Just Got Exposed: When Spying on Others Backfires Spectacularly

A hacktivist successfully scraped payment records from over 500,000 stalkerware customers. Now the people who paid to spy on others are having their own data exposed. There’s poetic justice here—but also serious privacy implications for everyone.

The Hunters Become the Hunted

In February 2026, a hacktivist (operating under an anonymous handle) announced they had successfully scraped payment records from multiple stalkerware services. The haul: over 500,000 customer records, including names, email addresses, and payment information.

Stalkerware—sometimes euphemistically called “parental monitoring” or “employee tracking” software—allows someone to secretly monitor another person’s phone. Every text message, photo, location ping, and call gets silently forwarded to the stalker.

Now, the stalkers’ own data is in the wild.

“If you use stalkerware, you’re trusting some of the shadiest companies on the internet with extremely sensitive information,” security researcher Eva Galperin noted. “These companies have terrible security because they don’t have to compete on trust—their customers can’t exactly leave reviews.”

What Is Stalkerware?

Stalkerware refers to commercial surveillance apps designed to be installed on someone’s phone without their knowledge or meaningful consent. Once installed, these apps can:

  • Read all text messages (including encrypted apps like Signal)
  • Track GPS location in real-time
  • Access photos and videos
  • Record phone calls
  • Log keystrokes (capturing passwords)
  • Monitor social media activity
  • Activate microphone and camera remotely

The apps are designed to be invisible—running in the background with no icon, consuming minimal battery, and hiding from the app list.

The Market

Despite being illegal in most contexts, stalkerware is a thriving industry:

Company TypePrimary MarketAnnual Revenue (Est.)
”Parental control” appsParents, employers$200M+
Overt stalkerwareJealous partners$50M+
Government-grade spywareLaw enforcement$1B+

The lines between categories are often blurry. Many “parental control” apps function identically to stalkerware and are marketed with winking references to “monitoring your spouse” or “catching a cheater.”

The Breach: What Was Exposed

According to initial reports, the scraped data includes:

Confirmed exposed:

  • Email addresses used to create accounts
  • Payment card details (partial)
  • Subscription dates and lengths
  • In some cases, target device information

Potentially exposed (varying by service):

  • Full names and billing addresses
  • Phone numbers
  • Account login credentials
  • Customer support communications

The hacktivist claims to have data from multiple stalkerware services, suggesting a coordinated campaign targeting the entire industry.

The Privacy Paradox

This breach creates a fascinating privacy paradox. Let’s consider the implications:

For Stalkerware Users (the “Stalkers”)

People who paid for stalkerware are now having their own data exposed. This includes:

  • Abusive partners who use stalkerware for coercive control
  • Suspicious spouses who violated their partner’s privacy
  • Helicopter parents who secretly monitor adult children
  • Employers who illegally surveilled employees’ personal devices

Many will argue these people deserve exposure—they paid to violate others’ privacy and are now experiencing the consequences.

But there are complications:

  • Some users may have had legitimate purposes (monitoring company devices with consent)
  • Exposure could lead to vigilante justice or harassment
  • Payment information could enable financial fraud
  • The breach enables additional privacy violations, not justice

For Stalkerware Victims

For people whose phones were monitored, this breach offers mixed news:

Potentially helpful:

  • Victims might discover they were being monitored
  • Evidence for legal proceedings
  • Validation that their suspicions were correct

Potentially harmful:

  • Abusers might become violent if exposed
  • Discovery could trigger dangerous confrontations
  • Victims might not be ready or safe to act on the information

Domestic violence organizations are urging caution: “If you suspect your abuser is using stalkerware, contact a DV hotline before taking action. Safety planning is critical.”

Why Stalkerware Security Is Terrible

This breach isn’t surprising. Stalkerware companies consistently have awful security:

Previous stalkerware breaches:

  • 2019: mSpy leaked millions of records
  • 2020: Multiple services breached
  • 2022: SpyFone FTC action + data exposure
  • 2024: pcTattletale completely owned
  • 2026: 500K+ users from multiple services

Why it keeps happening:

  1. No accountability: Customers can’t complain publicly without admitting what they were doing
  2. Low trust requirement: The “product” works regardless of security
  3. Shady operators: Companies run by people comfortable enabling abuse aren’t prioritizing ethics
  4. Minimal investment: Why spend on security when your customers are already criminals?
  5. Jurisdictional arbitrage: Companies operate from countries with limited enforcement

“Using stalkerware means trusting some of the least trustworthy companies on the internet with your data,” said one security researcher. “That’s always going to end badly.”

How to Detect Stalkerware on Your Device

If you’re concerned someone may have installed stalkerware on your phone:

Android Warning Signs

  • Battery draining unusually fast
  • Unexplained data usage
  • Phone runs hot even when idle
  • Unknown apps in Settings > Apps (including system apps)
  • Device admin apps you don’t recognize
  • “Google Play Protect” disabled

iPhone Warning Signs

  • Battery issues
  • Device runs hot
  • Unknown configuration profiles (Settings > General > VPN & Device Management)
  • Unfamiliar apps
  • If someone knows your iCloud password, they may not need an app at all

Detection Steps

For Android:

  1. Check Settings > Apps > Show system apps for unfamiliar entries
  2. Review Settings > Security > Device admin apps
  3. Use anti-malware apps (some detect stalkerware)
  4. Check for unknown accessibility services

For iPhone:

  1. Review Settings > General > VPN & Device Management
  2. Change your Apple ID password from a different device
  3. Enable two-factor authentication
  4. Check for unfamiliar apps (including hidden home screens)

Important Safety Note

If you’re in an abusive relationship:

Removing stalkerware may alert your abuser. Before taking action:

  • Contact a domestic violence hotline
  • Develop a safety plan
  • Consider whether your abuser might become dangerous if they realize they’ve lost surveillance capability

National Domestic Violence Hotline: 1-800-799-7233

Stalkerware exists in a legal gray zone that’s slowly turning black:

What’s Illegal

United States:

  • Installing monitoring software on someone’s device without consent violates the Computer Fraud and Abuse Act
  • Intercepting communications violates federal wiretapping laws
  • Some states have specific stalkerware laws

European Union:

  • GDPR violations
  • Computer misuse laws
  • Potential criminal charges

Consequences for users:

  • Criminal charges (felony in many jurisdictions)
  • Civil liability
  • Restraining orders
  • Loss of custody in divorce proceedings

Enforcement Actions

The FTC has taken action against stalkerware companies:

  • SpyFone (2021): Banned from surveillance business
  • Support King (2022): Ordered to delete data and notify victims
  • Multiple ongoing investigations

However, enforcement remains limited. Many companies operate from overseas, rebrand frequently, and continue operating despite legal actions.

Protecting Yourself

If You Suspect Stalkerware

  1. Don’t confront your suspected abuser directly
  2. Contact a domestic violence resource
  3. Document evidence from a safe device
  4. Consider using a separate “clean” phone for sensitive communications
  5. Work with law enforcement if safe to do so

General Protection

  • Use strong, unique passwords for device and accounts
  • Enable two-factor authentication everywhere
  • Don’t share device PINs with anyone
  • Review app permissions regularly
  • Keep devices physically secure
  • Update your operating system (security patches often address stalkerware techniques)

For Concerned Parents

If you’re tempted to use monitoring software on your children:

  • Be transparent: Tell them monitoring is happening
  • Use built-in tools: iOS Screen Time, Google Family Link offer monitoring with transparency
  • Build trust instead: Open communication is more effective than surveillance
  • Consider the precedent: Normalizing surveillance prepares children to accept it from future partners

The Bigger Picture

This breach illuminates the toxic ecosystem of commercial surveillance:

Stalkerware companies profit from enabling abuse while providing terrible security to their customers.

Stalkerware users violate others’ privacy while trusting the least trustworthy companies with their own data.

Stalkerware victims have their most intimate moments exposed to abusers—and now potentially to hacktivists.

Everyone is worse off because this industry exists.

The 500,000 exposed users may face consequences ranging from embarrassment to criminal charges. But the real story is that stalkerware shouldn’t exist at all—and the people harmed most aren’t the customers being exposed, but the victims whose phones were violated in the first place.

What Happens Next

The hacktivist has hinted at releasing the data publicly, which would create additional waves of exposure and confrontation. Meanwhile:

  • Law enforcement may use the data for investigations
  • Divorce attorneys are likely paying attention
  • Stalkerware victims may finally learn the truth
  • Abusers may face consequences—or become more dangerous

If you’re affected by stalkerware—as a victim or someone who realizes they need to change their behavior—resources are available.

And if you’re considering installing surveillance software on someone’s device: this breach should be a warning. The people you’re trusting with that capability have no incentive to protect your secrets. Eventually, everything comes out.

Resources

Domestic Violence Support:

  • National Domestic Violence Hotline: 1-800-799-7233
  • thehotline.org

Stalkerware Detection:

  • Coalition Against Stalkerware: stopstalkerware.org
  • EFF’s Surveillance Self-Defense: ssd.eff.org

Report Stalkerware:

  • FBI: ic3.gov
  • FTC: reportfraud.ftc.gov

If you’re experiencing domestic abuse or coercive control, you’re not alone. Help is available 24/7.