Last year, SpyX, a monitoring app designed to help parents track their children's online and offline activities, suffered a data breach. The breach, kept secret until March 2025, affected nearly 2 million people, according to our colleagues at TechCrunch.
SpyX is software that can be described as stalkerware. Once installed on a smartphone, it can monitor social networks (WhatsApp, Instagram, Snapchat, etc.), spy on calls, text messages, and GPS location, and access browsing history, record keystrokes, and capture all deleted content. It works on Android and iOS, but is obviously not available on the Play Store or the App Store. Customers of this type of software are generally called "stalkers."
Exposed iCloud credentials
As explained by researcher Troy Hunt, who created the Have I Been Pwned website, the exposed data includes nearly two million email addresses and more than 17,000 Apple IDs stored in plain text. The researcher explains that he received a copy of the breached data in the form of two files. He compared the data with those already listed on his website. Most of the email addresses are directly linked to SpyX, with fewer than 300,000 addresses associated with its clones Msafely and SpyPhone. About 40% of the email addresses were already listed on Have I Been Pwned.
The most concerning part of the leak concerns iPhone users. Troy Hunt discovered email addresses and Apple account passwords in the data. The developer was able to partially confirm the authenticity of the credentials. Using these, it is possible to access victims' iCloud backups, including their personal data, messages, and other sensitive information, such as photos or videos.
SpyX relied on Apple IDs to monitor its users' targets, without requiring installation on the iPhone. In fact, the stalkerware only had to monitor its target's actions through iCloud backups. It can in fact continuously retrieve the victim's latest backup from Apple's servers, which amounts to constantly spying on everything they do.
A recurring problem
This isn't the first time spyware has been the victim of a personal data leak. TechCrunch reports that this is already the 25th time stalkerware has been breached since 2017. Apps like mSpy, PCTattleTale, TheTruthSpy, Cocospy, Spyic, and Spyzie have also been implicated in similar leaks.
It is currently unclear what happened to the data stolen in the SpyX hack. It is unclear whether users' private information ended up in the hands of cybercriminals.
Source: TechCrunch
0 Comments