Apple and Android Users Caught in SpyX Spyware Leak

A major data breach has revealed the personal information of almost 2 million individuals connected to the controversial stalkerware app SpyX.

The breach, which occurred in June 2024, remained under the radar until now, and there’s no sign that SpyX ever notified those affected. This incident not only highlights serious privacy concerns but also shows how stalkerware apps remain a significant cybersecurity threat.

SpyX, which is marketed as a parental control tool, functions like many other surveillance apps—collecting data from phones without the user’s knowledge.

While these apps are sometimes presented as tools for parents to monitor children’s activity, they are often misused to secretly spy on partners or others, raising serious ethical and legal issues.

Sensitive Apple Data Among the Breach

Security researcher Troy Hunt, who runs the breach alert service Have I Been Pwned, received a copy of the leaked data and confirmed its authenticity. The breach included nearly 2 million account records, with the majority linked to SpyX and the rest associated with two clone apps called Msafely and SpyPhone.

About 40% of the email addresses were already in Have I Been Pwned’s database, indicating that many users have been exposed in previous incidents as well.

One of the most alarming aspects of the breach is the inclusion of roughly 17,000 Apple iCloud usernames and passwords in plain text. These credentials can give attackers access to highly sensitive data stored in Apple’s cloud, such as photos, messages, and even GPS location.

Apple later confirmed that fewer than 250 iCloud accounts were affected and said those accounts were promptly secured.

This breach shows how stalkerware isn’t just an Android problem. Even Apple users—who are typically better protected through the App Store’s strict policies—can be vulnerable if their iCloud credentials are obtained.

SpyX appears to have accessed iPhone data not through direct app installation but by pulling information from iCloud backups.

Another Stalkerware App, Another Security Failure

SpyX is now the 25th known spyware app since 2017 to have exposed user or victim data through a breach or leak. These apps often operate in legal gray areas and fail to meet even basic standards of cybersecurity.

Even more troubling, the companies behind them rarely notify users when things go wrong. In this case, there’s no evidence that SpyX ever alerted affected people.

Google has taken some action, removing a Chrome extension linked to the SpyX platform. The company emphasized that spyware and stalkerware are banned from both the Chrome Web Store and Google Play and warned users to take immediate action if they suspect their accounts are compromised.

How to Protect Yourself

If you’re worried your device may be affected, there are steps you can take. Android users should make sure Google Play Protect is turned on and avoid downloading apps from unknown sources. If you suspect your device has been tampered with, be cautious—removing spyware may alert whoever installed it.

For Apple users, review the devices linked to your Apple ID and remove any you don’t recognize. Update your password to something strong and unique, and enable two-factor authentication. These steps can help lock down your account if your iCloud credentials were exposed.

Stalkerware apps like SpyX not only invade personal privacy but also pose real dangers when their own systems fail to protect stolen data. Consumers should be wary of apps that promise surveillance features and instead seek out safer, more transparent solutions for digital security.