Data breach at stalkerware SpyX affects close to 2 million, including thousands of Apple users

A consumer-grade spyware operation called SpyX was hit by a data breach last year, TechCrunch has learned. The breach reveals that SpyX and two other related mobile apps had records on almost two million people at the time of the breach, including thousands of Apple users.

The data breach dates back to June 2024 but has not been previously reported, and there is no indication that SpyX’s operators ever notified its customers or those targeted by the spyware.

The SpyX family of mobile spyware is now, by our count, the 25th mobile surveillance operation since 2017 known to have experienced a data breach, or otherwise spilled or exposed their victims’ or users’ data, showing that the consumer-grade spyware industry continues to proliferate and put people’s private data at risk. 

The breach also provides a rare look at how stalkerware like SpyX can also target Apple customers.

Troy Hunt, who runs data breach notification site Have I Been Pwned, received a copy of the breached data in the form of two text files, which contained 1.97 million unique account records with associated email addresses.

Hunt said the vast majority of the email addresses are associated with SpyX. The cache also includes less than 300,000 email addresses associated with two near-identical clones of the SpyX app called MSafely and SpyPhone.

About 40% of the email addresses were already in Have I Been Pwned, Hunt said.

As with previous spyware breaches, Hunt marked the SpyX data breach in Have I Been Pwned as “sensitive,” which allows only the person with an affected email address to see if their information is part of this breach.

The operators behind SpyX did not respond to emails from TechCrunch with questions about the breach, and a WhatsApp number listed on SpyX’s website returned a message saying it was not registered with the messaging app.

Another spyware, another breach

SpyX is billed as mobile monitoring software for Android and Apple devices, ostensibly for granting parental control of a child’s phone.

Surveillance malware, like SpyX, also go by the term stalkerware (and spouseware) because sometimes the operators explicitly promote their products as a way to spy on a spouse or domestic partner, which is broadly illegal without that person’s knowledge. Even when the operators don’t explicitly promote this illegal use, spyware apps share much of the same stealthy data-stealing capabilities. 

Consumer-grade spyware, like stalkerware, usually works in one of two ways.

Apps that work on Android devices, including SpyX, are typically downloaded from outside of the official Google Play app store and require someone with physical access to a victim’s device — usually with knowledge of their passcode — to weaken its security settings and plant the spyware.

Apple has stricter rules about which apps can be on the App Store and run on iPhones and iPads, so stalkerware usually taps into a copy of the device’s backup found on Apple’s cloud storage service, iCloud. With a person’s iCloud credentials, stalkerware can continuously download the victim’s most recent backup directly from Apple’s servers. iCloud backups store the majority of a person’s device data, including messages, photos, and app data.

According to Hunt, one of the two files in the breached cache referred to iCloud in its filename and contained about 17,000 distinct sets of plaintext Apple Account usernames and passwords.

Since the iCloud credentials in the breached cache clearly belonged to Apple customers, Hunt sought to confirm the authenticity of the data by reaching out to Have I Been Pwned subscribers whose Apple Account email addresses and passwords were found in the data. Hunt said several people confirmed that the information he provided was accurate.

Given the possibility of an ongoing risk to victims whose account credentials might still be valid, Hunt provided the list of breached iCloud credentials to Apple prior to publication. Apple did not comment when reached by TechCrunch.

As for the rest of the email addresses and passwords found in the breached text files, it was less clear if these were working credentials for any service other than SpyX and its clone apps. 

Meanwhile, Google pulled down a Chrome extension linked to the SpyX campaign.

“Chrome Web Store and Google Play Store policies clearly prohibit malicious code, spyware and stalkerware, and if we find violations, we take appropriate action. If a user suspects their Google Account has been compromised, they should take recommended steps immediately to secure it,” Google spokesperson Ed Fernandez told TechCrunch.

How to look for SpyX

TechCrunch has a spyware removal guide for Android users that can help you identify and remove common types of phone monitoring apps. Remember to have a safety plan in place, given that switching off the app may alert the person who planted it.

For Android users, switching on Google Play Protect is a useful security feature that can help to protect against Android malware, including unwanted phone surveillance apps. You can enable Google Play from the app’s settings if it isn’t already enabled. 

Google accounts are far more protected with two-factor authentication, which can better protect against account and data intrusions, and know what steps to take if your Google account is compromised. 

iPhone and iPad users can check and remove any devices from your account that you don’t recognize. You should ensure that your Apple account uses a long and unique password (ideally saved in a password manager) and that your account also has two-factor authentication switched on. You should also change your iPhone or iPad passcode if you think someone may have physically compromised your device. 

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.