A major data breach has exposed the records of nearly two million users linked to the consumer-grade spyware operation SpyX, TechCrunch reports.
The breach, which dates back to June 2024, was never publicly reported, and SpyX’s operators failed to notify their customers or the individuals targeted by the spyware.
SpyX, along with two related spyware apps—MSafely and SpyPhone—had vast amounts of sensitive user data, including email addresses and iCloud credentials. Cybersecurity expert Troy Hunt, founder of Have I Been Pwned, confirmed receiving a copy of the breached data containing 1.97 million unique account records. Among them, 17,000 plaintext Apple account usernames and passwords were exposed, indicating a significant risk for iPhone and iPad users.
Spyware Industry Faces Another Data Leak
This incident marks at least the 25th known spyware data breach since 2017, reinforcing concerns over the consumer spyware industry’s risks. Spyware like SpyX, often marketed as parental monitoring software, is frequently misused for stalkerware purposes, raising legal and ethical concerns. These apps typically secretly extract sensitive information from victims’ devices, sometimes without their knowledge.
Android spyware apps like SpyX require physical access to the target’s phone for installation, often bypassing security protections. However, on Apple devices, spyware often relies on stealing iCloud credentials to access backups, containing private messages, photos, and app data.
Hunt shared the leaked iCloud credentials with Apple to mitigate risks, though the company has not commented on the breach. Meanwhile, Google removed a Chrome extension linked to SpyX and reaffirmed its stance against spyware and stalkerware in its platforms.
