A major data breach at the stalkerware app SpyX has exposed sensitive information on nearly two million people, including thousands of Apple users. The incident, which remained unreported until now, highlights the growing threat consumer-grade spyware poses to digital privacy.
The breach, traced back to June 2024, leaked millions of user records connected to SpyX and two of its clone apps, MSafely and SpyPhone. Despite the scale, the operators behind SpyX failed to notify affected users or respond to queries about the incident.
This breach marks the 25th time since 2017 that a mobile surveillance app has either leaked or exposed user data. The trend underscores how stalkerware continues to thrive while placing millions at risk.
Cybersecurity expert Troy Hunt, creator of the data breach alert site Have I Been Pwned, obtained two large text files containing the stolen data. The files exposed around 1.97 million unique accounts, including personal email addresses. Hunt revealed that most records belonged to SpyX users, while nearly 300,000 were tied to MSafely and SpyPhone. Shockingly, about 40% of those emails had already appeared in previous data breaches.
Hunt labeled the SpyX data breach as “sensitive” on Have I Been Pwned, ensuring that only affected users can check if their information was compromised. The SpyX operators ignored repeated contact attempts from TechCrunch, while their listed WhatsApp number was inactive.
SpyX, promoted as parental control software for both Android and iOS, operates like many other spyware tools—allowing secret surveillance. Such apps, often referred to as stalkerware or spouseware, collect private data without consent and are frequently misused in domestic abuse cases. Even when marketed under the guise of child monitoring, these apps enable invasive tracking.
SpyX, like similar apps, installs differently across devices. On Android, it requires physical access to the device to install from unofficial sources after weakening the phone’s security settings. Meanwhile, iOS versions often rely on accessing a victim’s iCloud backups. With stolen Apple credentials, stalkerware apps continuously download private data such as messages, photos, and app usage directly from Apple servers.
One of the breached files specifically referenced iCloud data and contained over 17,000 plaintext Apple usernames and passwords. Hunt validated the authenticity of these records by contacting impacted users, several of whom confirmed the leaked details were correct.
Given the severe risk to victims, Hunt shared the compromised Apple account details with Apple prior to public disclosure. However, the tech giant declined to comment. It remains unclear whether other email-password pairs found in the breach provided access beyond the SpyX network.
Adding to the concerns, Google recently removed a Chrome extension linked to the SpyX operation. Google emphasized that both its Play Store and Chrome Web Store strictly ban malicious spyware and stalkerware apps. A spokesperson urged users to act swiftly if they suspect their Google accounts have been compromised.
If you’re concerned about stalkerware, there are several protective steps you can take:
For Android users, Google Play Protect is a vital security feature designed to detect and block malicious apps. Ensure it’s turned on in your device settings. Adding two-factor authentication (2FA) to your Google account significantly boosts your defense against spyware and unauthorized access.
On Apple devices, regularly check which devices are linked to your Apple account. Removing any unfamiliar devices can help prevent ongoing surveillance. It’s crucial to set a strong, unique password for your Apple ID and enable 2FA. If you suspect your iPhone or iPad has been physically accessed, change your device passcode immediately.
Anyone facing spyware threats linked to domestic violence can seek help. The National Domestic Violence Hotline offers 24/7 confidential support at 1-800-799-7233. In emergencies, call 911. Additionally, the Coalition Against Stalkerware provides resources for those concerned their devices may be compromised.
