Stalkerware SpyX data breach exposed 2 million people
Take action: People managing spyware platforms are not great at security. Check your phone from time to time, you may have spyware on it. And know that the vendors of these products are far from competent in securing their own application.
Learn More
A data breach has impacted SpyX, a stalkerware/spyware platform, along with two related mobile apps (MSafely and SpyPhone).
SpyX markets itself as mobile monitoring software for Android and Apple devices, supposedly for parental control of children's phones. However, like other surveillance malware (commonly known as stalkerware or spouseware), it can be used to spy on spouses or domestic partners without their knowledge—a practice that is broadly illegal.
The breach occurred in June 2024 but remained unreported until March 2025 and exposed records of almost two million individuals. Troy Hunt, who operates the data breach notification site Have I Been Pwned, received the breached data as two text files containing 1.97 million unique account records with associated email addresses. The majority of these email addresses were connected to SpyX, while less than 300,000 were associated with the near-identical clone apps MSafely and SpyPhone. Approximately 40% of the compromised email addresses were already listed in Have I Been Pwned's database.
The breach also revealed about 17,000 distinct sets of plaintext Apple Account usernames and passwords, confirming that stalkerware like SpyX can target Apple customers. Hunt verified the authenticity of this data by contacting affected Have I Been Pwned subscribers, who confirmed the accuracy of their exposed information.
There is no indication that SpyX's operators ever notified their customers or the individuals targeted by the spyware about this breach. When TechCrunch attempted to contact SpyX with questions about the incident, they received no response to emails, and a WhatsApp number listed on SpyX's website returned a message stating it was not registered with the messaging app.
This spyware typically works in one of two ways:
- For Android devices: Apps like SpyX are typically downloaded from outside the official Google Play Store and require physical access to a victim's device—usually with knowledge of their passcode—to weaken security settings and install the spyware.
- For Apple devices: Due to Apple's stricter App Store rules, stalkerware typically accesses a copy of the device's backup stored on iCloud. With a person's iCloud credentials, stalkerware can continuously download the victim's most recent backup directly from Apple's servers, accessing messages, photos, and app data.
In response to the breach discovery, Google pulled down a Chrome extension linked to the SpyX campaign, stating that their policies "clearly prohibit malicious code, spyware and stalkerware."
How to protect yourself
For Android users:
- Enable Google Play Protect to help guard against Android malware
- Use two-factor authentication on Google accounts
For iPhone and iPad users:
- Check and remove any unrecognized devices from your account
- Use a long, unique password for your Apple account (preferably saved in a password manager)
- Enable two-factor authentication
- Change your device passcode if you suspect physical compromise
