A major data breach at SpyX, a mobile surveillance software company, has exposed nearly 2 million user records, including thousands of Apple iCloud credentials. The breach, which occurred in June 2024 but went unreported until now, reveals the growing risks of consumer-grade spyware.
According to Troy Hunt, founder of data breach notification service Have I Been Pwned, the exposed data included 1.97 million unique account records with associated email addresses. The breach also contained approximately 17,000 sets of plaintext Apple iCloud usernames and passwords.
The compromised data spans across SpyX and two similar apps - Msafely and SpyPhone. About 40% of the affected email addresses were previously logged in Have I Been Pwned's database.
SpyX markets itself as parental control software for Android and Apple devices. However, such surveillance tools are often misused to secretly monitor spouses or partners without consent - a practice that is broadly illegal.
While Android-based stalkerware typically requires physical access to install the app, iPhone surveillance operates differently. These apps exploit iCloud backups, accessing victims' data directly from Apple's servers using stolen credentials.
The SpyX incident marks the 25th known data breach in the consumer-grade spyware industry since 2017. Despite the severity of the exposure, SpyX's operators have not notified affected customers or surveillance targets.
Google has removed a Chrome extension connected to SpyX. Apple received the list of compromised iCloud credentials prior to this disclosure but has not commented on the situation.
Given the ongoing risks, affected users are advised to change their passwords and review their account security settings. The breach has been marked as "sensitive" in Have I Been Pwned, allowing only individuals to check if their own email addresses were exposed.