The mobile stalkerware operation SpyX has suffered a significant data breach, exposing information belonging to nearly two million individuals, including sensitive Apple iCloud credentials.
A data breach impacting SpyX, which occurred in June 2024 but only recently came to light, compromised approximately 1.97 million stolen account records and email addresses. Security researcher Troy Hunt, administrator of the breach notification service Have I Been Pwned (HIBP), received and authenticated a copy of the leaked data. The data primarily originated from SpyX, but around 300,000 records were linked to clone apps named MSafely and SpyPhone. There is currently no indication that SpyX notified affected individuals about the breach.
Troy Hunt has begun incorporating the data into HIBP, uploading about 40% of the impacted email addresses so users can check if they were affected. Google confirmed it has removed a Chrome browser extension associated with the SpyX spyware platform. Initial reports suggested roughly 17,000 Apple iCloud usernames and passwords were exposed in plain text; however, Apple has since stated that fewer than 250 iCloud accounts were affected and that these accounts have been secured.
The breach exposes highly sensitive information, particularly the Apple iCloud credentials, which could grant attackers access to photos, messages, location data, and other personal details stored in iCloud backups. This incident shows that even users within Apple's typically more controlled ecosystem can be vulnerable, especially if their cloud credentials are compromised. It also points to the poor security practices prevalent among stalkerware vendors.
Troy Hunt confirmed the authenticity of the leaked data. Apple acknowledged the exposure but stated that the number of affected accounts was less than 250 and that they took action to secure them. Google reiterated that spyware and stalkerware are prohibited on its platforms. TechCrunch noted that SpyX is the 25th known spyware app to suffer a data breach or leak since 2017, indicating a pattern of security failures in this sector.
Stalkerware apps like SpyX, often marketed as parental control tools, frequently operate in legal gray areas and pose significant privacy risks, enabling surveillance without user knowledge. This breach demonstrates that these risks extend beyond the apps themselves; the failure of these companies to secure the data they collect creates further danger. The incident involving Apple credentials shows that stalkerware impacts users across different platforms, often exploiting cloud backups rather than requiring direct app installation on iPhones. The lack of user notification following such breaches is also a recurring issue with these types of operations.
SpyX is an application marketed for monitoring device activity. Apps like these are often called "stalkerware" because they can collect data (messages, location, calls, etc.) from a phone without the user's explicit, ongoing consent and are frequently misused for surveillance.
The breach exposed account records and email addresses associated with SpyX, MSafely, and SpyPhone accounts. It also included some Apple iCloud usernames and passwords in plain text.
SpyX appears to have accessed iPhone data not by installing an app directly onto the phone, but by obtaining users' iCloud credentials and pulling data from their iCloud backups.
Users concerned about exposure can check if their email address is listed on Have I Been Pwned. Apple users whose credentials might have been compromised should change their iCloud password immediately to a strong, unique one and enable two-factor authentication. Android users should ensure Google Play Protect is active and avoid apps from untrusted sources.