SpyX Data Breach Exposes Nearly 2 Million Users’ Information, Including Apple Customers

• Almost 2 million users of the SpyX surveillance app had their accounts leaked online.
• Approximately 300,000 user emails were linked to two nearly identical clone apps, MSafely and SpyPhone.
• Among the exposed data are iCloud credentials with plain text passwords.

The SpyX spyware app exposed the personal information of nearly two million users, including thousands of Apple account credentials via a data breach that occurred in June 2024. Security researcher Troy Hunt analyzed the leaked data and confirmed it contained nearly 1.97 million unique records. 

Hunt added the 1,977,011 leaked accounts to his breach notification website Have I Been Pwned on March 19. These records primarily belonged to SpyX users, although approximately 300,000 were linked to two nearly identical clone apps, MSafely and SpyPhone.

The leaked data includes IP addresses, geographic locations, device information, and 6-digit PINs in the password field, as well as iCloud credentials with the email addresses and plain text Apple passwords. 

The leak is particularly concerning for Apple users. Unlike Android spyware, which often requires physical access to a device to install, stalkerware targeting Apple devices frequently relies on iCloud credentials. 

With these credentials, bad actors can download iCloud backups and continuously monitor a device's data. Hunt verified the authenticity of some leaked credentials in the cache by contacting affected users, indicating that the breach may still pose active risks for individuals with compromised accounts.

Despite the scale of the issue, SpyX has remained unresponsive to inquiries, offering no comment or acknowledgment of the breach.

SpyX, promoted as monitoring software for Android and Apple devices, is part of a growing network of so-called "stalkerware" apps. 

Often marketed as parental control tools, these apps can stealthily track device data and are sometimes misused to surveil spouses or partners without consent, which is illegal in many jurisdictions.

This incident follows other spyware leaks, as Spyic and its sibling, Cocospy, suffered a data breach this month. Together, they exposed the sensitive data of over 2.65 million users, including pictures and call logs.