A massive stalkerware data breach involving the mobile surveillance app SpyX has exposed sensitive information belonging to nearly two million people, including thousands of Apple users.
The breach, which occurred back in June 2024 but was never publicly disclosed, reveals just how widespread these consumer-grade spyware operations have become—and how often they fail to protect the very data they steal. SpyX is now the latest in a growing list of stalkerware services caught leaking data, marking the 25th known spyware breach since 2017.
According to cybersecurity expert Troy Hunt, who runs the data breach notification platform Have I Been Pwned, the leaked files contained nearly 1.97 million unique accounts tied to SpyX and two nearly identical clone apps—MSafely and SpyPhone. Hunt received the cache as two large text files, confirming that SpyX held the majority of these records.
Shockingly, one of the leaked files was labeled “iCloud” and included about 17,000 sets of Apple IDs and passwords in plain text, revealing that even Apple users weren’t safe from this operation. Hunt verified the authenticity of the data by reaching out to impacted individuals, some of whom confirmed their credentials were accurate.
The breach highlights the disturbing way stalkerware apps like SpyX operate. Marketed as “parental monitoring” tools, these apps often cross the line into invasive spying—targeting spouses, partners, or unsuspecting victims. While companies avoid directly promoting illegal surveillance, their software features make it easy to monitor private conversations, photos, locations, and more—all without consent.
SpyX’s Android version requires physical access to a device, allowing the installer to weaken its security and plant the app secretly. Meanwhile, on Apple devices, such spyware typically exploits iCloud backups. With stolen credentials, the stalkerware pulls recent iPhone or iPad backups straight from Apple’s servers—capturing texts, images, call logs, and app data.
What’s more troubling is that SpyX made no attempt to alert its users or victims of the breach. Repeated attempts by TechCrunch to contact SpyX went unanswered. Even the WhatsApp number listed on their website was inactive.
Google has since removed a Chrome extension linked to the SpyX operation, emphasizing that its platforms prohibit spyware and surveillance tools. “If we find violations, we take appropriate action,” a Google spokesperson said.
Hunt, who flagged the breach as highly sensitive in Have I Been Pwned, is allowing only impacted individuals to check if their information was exposed. Of the total emails leaked, roughly 40% were already known in his database from past breaches.
The breach also left Apple scrambling. Given the potential ongoing risk for anyone whose iCloud credentials were exposed, Hunt shared the list with Apple ahead of publication. However, Apple declined to comment.
This incident once again exposes the dangers of consumer-grade spyware apps—not just for those being targeted but also for the people deploying them. Stalkerware creators frequently fail to secure the data they collect, turning both users and victims into potential breach casualties.
For those concerned about SpyX or similar apps, experts recommend securing accounts with two-factor authentication, regularly checking devices for unfamiliar apps, and reviewing connected devices on iCloud or Google accounts.
If you believe your phone has been compromised, take immediate action:
- Android users: Enable Google Play Protect and check for unknown apps.
- iPhone/iPad users: Update your Apple ID password, enable two-factor authentication, and review account-linked devices.
With the growing list of spyware breaches, it’s clear that these tools not only threaten privacy but also put users’ data at risk. As this SpyX incident shows, trusting stalkerware comes with more dangers than users might realize.
