"Data breach at stalkerware SpyX affects close to 2 million, including thousands of Apple users", 19 March 2025

A consumer-grade spyware operation called SpyX was hit by a data breach last year, TechCrunch has learned. The breach reveals that SpyX and two other related mobile apps had records on almost 2 million people at the time of the breach, including thousands of Apple users.

The data breach dates back to June 2024 but had not been previously reported, and there is no indication that SpyX’s operators ever notified its customers or those targeted by the spyware.

...

The breach also provides a rare look at how stalkerware like SpyX can also target Apple customers.

Troy Hunt, who runs data breach notification site Have I Been Pwned, received a copy of the breached data in the form of two text files, which contained 1.97 million unique account records with associated email addresses.

Hunt said the vast majority of the email addresses are associated with SpyX. The cache also includes less than 300,000 email addresses associated with two near-identical clones of the SpyX app called Msafely and SpyPhone.

About 40% of the email addresses were already in Have I Been Pwned, Hunt said.

As with previous spyware breaches, Hunt marked the SpyX data breach in Have I Been Pwned as “sensitive,” which allows only the person with an affected email address to see if their information is part of this breach.

The operators behind SpyX did not respond to emails from TechCrunch with questions about the breach, and a WhatsApp number listed on SpyX’s website returned a message saying it was not registered with the messaging app.

Another spyware, another breach

SpyX is billed as mobile monitoring software for Android and Apple devices, ostensibly for granting parental control of a child’s phone.

Surveillance malware, like SpyX, also goes by the term stalkerware (and spouseware) because sometimes the operators explicitly promote their products as a way to spy on a spouse or domestic partner, which is broadly illegal without that person’s knowledge. Even when the operators don’t explicitly promote this illegal use, spyware apps share much of the same stealthy data-stealing capabilities. 

Consumer-grade spyware, like stalkerware, usually works in one of two ways.

Apps that work on Android devices, including SpyX, are typically downloaded from outside of the official Google Play app store and require someone with physical access to a victim’s device — usually with knowledge of their passcode — to weaken its security settings and plant the spyware.

Apple has stricter rules about which apps can be on the App Store and run on iPhones and iPads, so stalkerware usually taps into a copy of the device’s backup found on Apple’s cloud storage service, iCloud. With a person’s iCloud credentials, stalkerware can continuously download the victim’s most recent backup directly from Apple’s servers. iCloud backups store the majority of a person’s device data, including messages, photos, and app data.

According to Hunt, one of the two files in the breached cache referred to iCloud in its filename and contained about 17,000 distinct sets of plaintext Apple Account usernames and passwords.

...

Given the possibility of an ongoing risk to victims whose account credentials might still be valid, Hunt provided the list of breached iCloud credentials to Apple prior to publication.

Apple did not comment by press time when reached by TechCrunch prior to publication.

In a brief statement provided after publication, Apple spokesperson Sarah O’Rourke told TechCrunch: “When data breaches at other companies pose a risk to Apple accounts, our security teams work to rapidly investigate and protect our users. In this case, fewer than 250 iCloud users were impacted, and we immediately secured their accounts.”

As for the rest of the email addresses and passwords found in the breached text files, it was less clear if these were working credentials for any service other than SpyX and its clone apps. 

Meanwhile, Google pulled down a Chrome extension linked to the SpyX campaign.

“Chrome Web Store and Google Play Store policies clearly prohibit malicious code, spyware and stalkerware, and if we find violations, we take appropriate action. If a user suspects their Google Account has been compromised, they should take recommended steps immediately to secure it,” Google spokesperson Ed Fernandez told TechCrunch.

...