A data breach occurred at SpyX, a consumer-grade spyware operation, last year, according to information obtained by TechCrunch. The breach exposed records of nearly two million individuals, including thousands of Apple users, who were affected by SpyX and two other related mobile apps at the time of the incident.

The data breach, which dates back to June 2024, had not been previously reported, and there is no evidence that SpyX’s operators notified their customers or the individuals targeted by the spyware about the incident.

The SpyX family of mobile spyware is now the 25th mobile surveillance operation since 2017 to have experienced a data breach or exposed their victims’ or users’ data, highlighting the ongoing risks associated with the consumer-grade spyware industry. This incident underscores the need for increased awareness and vigilance in protecting personal data.

The breach also provides rare insight into how stalkerware, such as SpyX, can target Apple customers, exploiting vulnerabilities in their devices and accounts.

Troy Hunt, founder of the data breach notification site Have I Been Pwned, received a copy of the breached data, which consisted of two text files containing 1.97 million unique account records with associated email addresses. The majority of these email addresses were linked to SpyX, while approximately 300,000 were associated with two near-identical clones of the SpyX app, MSafely and SpyPhone.

Hunt noted that about 40% of the email addresses were already listed in Have I Been Pwned, indicating that they had been compromised in previous data breaches.

As with previous spyware breaches, Hunt marked the SpyX data breach in Have I Been Pwned as “sensitive,” allowing only the affected individuals to check if their information was part of the breach.

The operators behind SpyX did not respond to TechCrunch’s inquiries about the breach, and a WhatsApp number listed on SpyX’s website was found to be unregistered.

Another Spyware, Another Breach

SpyX is marketed as mobile monitoring software for Android and Apple devices, purportedly designed for parental control. However, surveillance malware like SpyX is often referred to as stalkerware or spouseware, as it can be used to spy on individuals without their knowledge or consent.

Consumer-grade spyware, including stalkerware, typically operates in one of two ways. Android apps like SpyX require physical access to the device and knowledge of the passcode to install, while Apple devices can be compromised through iCloud backups.

Apple’s stricter app store policies and security measures make it more challenging for stalkerware to be installed directly on iPhones and iPads. Instead, these apps often rely on accessing iCloud backups, which can contain a vast amount of personal data, including messages, photos, and app data.

According to Hunt, one of the breached files contained approximately 17,000 distinct sets of plaintext Apple Account usernames and passwords, which were likely used to access iCloud backups.

Hunt verified the authenticity of the breached data by contacting Have I Been Pwned subscribers whose Apple Account email addresses and passwords were found in the data. Several individuals confirmed that the information was accurate, highlighting the potential ongoing risk to victims.

Given the sensitive nature of the breach, Hunt provided the list of breached iCloud credentials to Apple prior to publication. Apple did not comment on the matter when contacted by TechCrunch.

The rest of the email addresses and passwords found in the breached text files were less clearly linked to working credentials for any service other than SpyX and its clone apps.

Meanwhile, Google removed a Chrome extension linked to the SpyX campaign, citing its policies against malicious code, spyware, and stalkerware.

“If a user suspects their Google Account has been compromised, they should take immediate action to secure it,” Google spokesperson Ed Fernandez told TechCrunch.

How to Look for SpyX

TechCrunch has a spyware removal guide for Android users that can help identify and remove common types of phone monitoring apps. It is essential to have a safety plan in place, as disabling the app may alert the person who installed it.

For Android users, enabling Google Play Protect can help protect against Android malware, including unwanted phone surveillance apps. Two-factor authentication can also provide an additional layer of security for Google accounts.

iPhone and iPad users can check and remove any unrecognized devices from their account, ensure their Apple account uses a strong and unique password, and enable two-factor authentication. If you suspect your device has been physically compromised, it is recommended to change your passcode.

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources available if you suspect your phone has been compromised by spyware.