A massive data breach at consumer-grade spyware operation SpyX has compromised the personal information of nearly 2 million individuals, including thousands of Apple users with exposed iCloud credentials.
The breach, which occurred in June 2024 but remained unreported until March 2025, represents the 25th known mobile surveillance operation to suffer a security incident since 2017, highlighting persistent vulnerabilities within the stalkerware industry.
Security researcher Troy Hunt, who operates the data breach notification service Have I Been Pwned (HIBP), received two text files containing approximately 1.97 million unique account records with corresponding email addresses.
.png
)
The compromised data primarily originated from SpyX users, with nearly 300,000 records linked to two nearly identical clones of the SpyX app – MSafely and SpyPhone.
SpyX Data Breach Exposing 2 Million Users Personal Data
Around 40% of the exposed email addresses were already registered in HIBP’s database, indicating previous compromises.
Most alarmingly, the breach exposed roughly 17,000 sets of plaintext Apple Account usernames and passwords, creating significant security risks for affected iOS users.
Hunt verified the legitimacy of these credentials by contacting HIBP subscribers whose details appeared in the dataset. Several confirmed the accuracy of the information.
“The vast majority of the email addresses are associated with SpyX,” confirmed Hunt, who classified the breach as “sensitive” in HIBP, allowing only affected individuals to verify if their information was compromised.
This incident follows closely behind similar breaches affecting other stalkerware applications. In February 2025, Spyzie suffered a data breach alongside sibling services Cocospy and Spyic.
The Spyzie breach alone exposed 518,643 customer email addresses, which were provided to HIBP by a source requesting attribution to “[email protected].”
That breach reportedly enabled unauthorized access to captured messages, photos, call logs, and other sensitive user data.
SpyX and similar applications typically function by monitoring compromised devices stealthily. For Android systems, installation requires physical access and modifications to the security settings.
On Apple devices, the spyware accesses iCloud backups using cloud credentials, continuously retrieving recent backups containing messages, photos, and personal information.
Mitigations
Despite the severity of the breach, there is no indication that SpyX’s operators ever notified customers or targeted individuals. Before public disclosure, Hunt shared the list of compromised iCloud credentials with Apple to mitigate potential risks.
Google has removed a Chrome extension associated with SpyX, with spokesperson Ed Fernandez stating, “Policies of the Chrome Web Store and Google Play Store explicitly prohibit malicious software, spyware, and stalkerware”.
Cybersecurity experts recommend immediately changing account credentials and enabling multi-factor authentication for potentially affected users.
Android users should consider enabling Google Play Protect, which can help guard against unwanted surveillance applications.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
