Consumer-grade spyware operation SpyX has been identified on the data breach notification site have I been pwned? as experiencing a data breach in June 2024 that compromised almost 2 million unique email addresses. Among those, interestingly, were thousands of Apple users.
The incident highlights not only the structural vulnerabilities of such applications (apps) but also how Apple‘s famously robust security practices don’t always make them immune from attacks. More troubling, however, is the nine months between the breach and the incident, with that information coming to light emerging through media reporting rather than the affected organization’s disclosure or communication with affected users.
The Irony Isn’t Lost
As Javvad Malik, Lead Security Awareness Advocate at KnowBe4, succinctly stated when commenting on this case how, “the irony of an entity purporting to offer surveillance capabilities itself falling prey to a breach is not lost with this one.”
SpyX is a phone monitoring app for Android and iOS. Such apps have become popular due to the proliferation of mobile phone usage among children, young people, and vulnerable adults, which has resulted in parents, family members, and responsible adults looking for ways to monitor their digital activities.
While these powerful tools can be helpful in combatting harmful practices like cyberbullying, the main uses typically include managing online activities, monitoring communications, and tracking real-time locations.
Small Details
Although details around the breach are minimal, TechCrunch reported that Troy Hunt, owner of the Have I Been Pwned website, received two text files containing 1.97 million unique account records with associated email addresses. Hunt told TechCrunch that most of the email addresses were associated with SpyX, and that the cache also included less than 300,000 email addresses associated with two near-identical clones of the SpyX app called Msafely and SpyPhone.
Detailing the attack on his website, Hunt dated the breach to June 24, 2024, adding that it was uploaded to the site on March 19, 2025. He listed the compromised data as device information, email addresses, geographic locations, IP addresses, and passwords. Additionally, it was noted that “a collection of iCloud credentials likely used to monitor targets directly via the cloud were also in the breach and contained the target’s email address and plain text Apple password.”
Not-so Rosey Apples
While Apple had yet to confirm the validity of the account usernames and passwords affected by the incident when TechCrunch published its article, they released a brief statement in which a spokesperson said that “in this case, fewer than 250 iCloud users were impacted, and we immediately secured their accounts.” As reassuring as that may be, it will still concern Apple users, who were thought to be more protected against cybersecurity threats than users of Android devices.
On the Apple platform, the breach exploited iCloud backups, providing continuous remote access to threat actors if a victim’s credentials are procured. Hunt contacted subscribers to his platform whose Apple Account email addresses and passwords he identified in the data to see if he could gain clarification over whether the data he had was valid. He told TechCrunch that “several people confirmed that the information he provided was accurate.”
Communication is Key
Adam Pilton, Senior Cybersecurity Consultant at CyberSmart, believes that “the concerning elements of this breach are the 17,000 distinct sets of plain text Apple account usernames and passwords that have been revealed. These credentials could potentially allow cybercriminals access to children’s Apple accounts and iClouds; this could include their messages and photos.”
Regarding the lack of communication between SpyX and its customers, he says such a void is “absolutely shocking.” He goes on to add that “there’s no indication that their customer base we’re ever notified of this breach and the potential impact it could have on them and their families. Nor is there any suggestion that they want to be contacted with the WhatsApp number listed on their website shown as not being registered on WhatsApp.”
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.