A data breach at the spyware operation SpyX has exposed nearly 2 million user accounts, including thousands of Apple customers, revealing personal information such as email addresses, IP addresses, and even plaintext iCloud credentials.
The breach, which dates back to June 2024 but has only now come to light, underscores the ongoing risks associated with consumer-grade spyware and the lack of security measures by their operators.
The breach was discovered by security researcher Troy Hunt, the founder of Have I Been Pwned (HIBP), a data breach notification service. Hunt obtained two leaked text files containing 1.97 million unique account records, with the majority linked to SpyX, while nearly 300,000 belonged to its clones, MSafely and SpyPhone. Alarmingly, one of the files contained about 17,000 plaintext Apple Account credentials, potentially allowing unauthorized access to victims' iCloud backups. HIBP has since added the compromised data to its alerting system, marking it as “sensitive,” meaning only affected individuals can check if their data was included.
SpyX, a mobile surveillance tool marketed as a parental monitoring app for Android and iOS devices, operates similarly to other stalkerware applications. It enables users to secretly monitor a target's phone activity, often under the guise of child safety. For Android, the spyware must be manually installed, usually requiring physical access to the device. For iOS, it exploits iCloud backups, allowing continuous remote access if the target's credentials are obtained. These methods make spyware highly invasive and a tool often misused for illegal surveillance, including domestic abuse and stalking.
The breach highlights ongoing security failures within the spyware industry. SpyX is now the 25th known surveillance operation to suffer a data breach since 2017. Despite handling sensitive user data, the operators failed to notify affected individuals and did not respond to media inquiries regarding the breach.
Google has taken action by removing a Chrome extension linked to the SpyX operation.
Protecting against SpyX and other spyware
Android users concerned about spyware on their devices should enable Google Play Protect, which can detect and block spyware. Checking installed apps for suspicious entries and reviewing app permissions is also recommended.
iPhone users should review their Apple account for unauthorized devices, change their Apple ID password if they suspect compromise, and ensure two-factor authentication (2FA) is enabled.
In general, spyware apps running in the background may cause random performance degradation and excessive device heating from CPU and network usage, so such signs should be investigated further.
This breach follows a similar incident involving spyware apps Cocospy and Spyic, which exposed the personal data of millions earlier this year.
Paragon’s Spyware ‘Graphite’ Used in WhatsApp Attacks
Leave a Reply