SpyX, a mobile stalkerware application also operating under the clone brands MSafely and SpyPhone, suffered a data breach in June 2024 that was not publicly disclosed by the operator and was first reported by TechCrunch on March 19, 2025 after security researcher Troy Hunt received a copy of the breached data and shared the details with TechCrunch. SpyX's operators did not respond to TechCrunch's requests for comment, and the WhatsApp number listed for SpyX support was inactive. The breach was indexed by Have I Been Pwned on March 19, 2025.

The breach affected approximately 1.97 million unique customer account records based on records indexed by Have I Been Pwned, with the vast majority of the email addresses associated with the SpyX brand and approximately 300,000 records associated with the MSafely and SpyPhone clone applications. Compromised customer fields included email addresses, IP addresses, geographic location data (country of residence), device information, and 6-digit PINs stored in the password field. Critically, one of the two leaked text files referenced iCloud in its filename and contained approximately 17,000 distinct sets of plaintext Apple Account usernames and passwords belonging to monitoring targets (the people whose Apple devices were being surveilled through SpyX). Troy Hunt provided the iCloud credential list to Apple before public disclosure, and Apple subsequently confirmed that fewer than 250 iCloud users were still affected by valid credentials at the time of Apple's intervention.

For surveillance targets and customers alike, the practical risk profile is exceptionally severe. For surveillance targets whose Apple devices were being monitored through SpyX, the iCloud credential exposure creates ongoing account takeover risk that extends beyond SpyX itself, because the iCloud credentials may grant access to the target's email, messages, photos, contacts, calendar, and other Apple ecosystem data even if SpyX itself is removed. Affected Apple users should immediately change their Apple Account password, enable two-factor authentication if not already enabled, review and remove unrecognized devices from their Apple Account, and check for unauthorized device backups. The U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware provide resources for individuals who suspect they may have been monitored. For customers (the people who purchased SpyX to surveil others), the breach exposed their identification as someone who purchased and used surveillance software, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target. The 6-digit PIN format of the customer passwords means brute-force recovery is essentially trivial for any account where the customer reused the same PIN on other services.

Covert monitoring platforms collect customer records, target-device identifiers, surveillance settings, and exfiltrated device activity tied to hidden mobile monitoring.

SpyX did not publicly acknowledge the June 2024 breach for approximately nine months, with neither customers nor surveillance targets receiving any notification before TechCrunch's March 2025 public reporting. SpyX operators did not respond to TechCrunch's requests for comment, and the WhatsApp number listed by SpyX for support was found to be inactive. Apple responded to the disclosure by securing the iCloud accounts of fewer than 250 users whose plaintext credentials remained valid at the time of disclosure, with Apple spokesperson Sarah O'Rourke confirming the action. Google pulled down a Chrome extension associated with the SpyX campaign following the disclosure. Approximately 40 percent of the email addresses in the SpyX dataset were already present in Have I Been Pwned's existing index, indicating substantial overlap with the customer bases of other previously breached stalkerware operations.