SpyX, a consumer-grade spyware app marketed as parental monitoring software, has suffered a major data breach affecting nearly 2 million, including thousands of Apple users. The breach occurred in June 2024 but remained unreported until now, with no notification issued to affected users. The compromised data includes email addresses, device details, IP addresses, and in some cases, Apple credentials in plain text.

Security researcher Troy Hunt, who operates the breach notification service Have I Been Pwned, confirmed receipt of the breached data in the form of two text files containing 1.97 million account records. The vast majority of the email addresses were associated with SpyX, while nearly 300,000 were linked to clone apps Msafely and SpyPhone.

One of the files referenced iCloud in its name, and contained roughly 17,000 sets of plaintext Apple account usernames and passwords. After reaching out to affected users, Hunt confirmed that the credentials were valid, prompting him to share the list with Apple ahead of the breach being made public.

Apple, in a follow-up comment to TechCrunch, stated, “Fewer than 250 iCloud users were impacted, and we immediately secured their accounts.” However, SpyX did not respond to any inquiries sent via email or its listed WhatsApp number, which was found to be inactive.

This incident marks the 25th time since 2017 that a mobile surveillance app has been breached. Google responded by removing a Chrome extension tied to SpyX and reaffirmed that its platforms “clearly prohibit malicious code, spyware and stalkerware.”

The breach follows a pattern seen across the spyware landscape — in February, we reported that the makers of another spyware app, pcTattletale, were forced to shut down entirely after hackers breached their systems.

Hunt marked the SpyX breach as “sensitive” on Have I Been Pwned, meaning only impacted users can check if they were affected. This incident once again highlights the spyware industry’s repeated failure to secure user data and the serious privacy risks it continues to pose.