SpyX 2024 Data Breach
ObscureIQ Breach Intelligence
High SeverityWebsite / service breach
SpyX Mobile Stalkerware Breach (2024): 2 Million Operator Accounts Exposed :: iCloud Credentials of Monitoring Targets Also Found
Mobile spyware platform used to monitor devices and extract user data.
Verified by ObscureIQ Intelligence
73/100Breach Risk Index
40Data Value
25Market Recency
404dSince Breach
Breach Intelligence Summary
Entity: SpyX · Actor: Unknown (Troy Hunt received data; Apple/Google notified) · Sources: 2 references
Attack: Misconfiguration
Profile: Spyware / Stalkerware · Covert device monitoring and surveillance · Mobile spyware platform · Global
Timeline: Breach (2024-06-24) · Indexed (Mar 19, 2025) · Year (2024)
Exposure: 2.0M records · 5 fields: Device Information, Email Address, Geographic Location, IP Address, Password
Status: Confirmed
Executive Summary
SpyX, a mobile stalkerware application also operating under the clone brands MSafely and SpyPhone, suffered a data breach in June 2024 that was not publicly disclosed by the operator and was first reported by TechCrunch on March 19, 2025 after security researcher Troy Hunt received a copy of the breached data and shared the details with TechCrunch. SpyX's operators did not respond to TechCrunch's requests for comment, and the WhatsApp number listed for SpyX support was inactive. The breach was indexed by Have I Been Pwned on March 19, 2025. The breach affected approximately 1.97 million unique customer account records based on records indexed by Have I Been Pwned, with the vast majority of the email addresses associated with the SpyX brand and approximately 300,000 records associated with the MSafely and SpyPhone clone applications. Compromised customer fields included email addresses, IP addresses, geographic location data (country of residence), device information, and 6-digit PINs stored in the password field. Critically, one of the two leaked text files referenced iCloud in its filename and contained approximately 17,000 distinct sets of plaintext Apple Account usernames and passwords belonging to monitoring targets (the people whose Apple devices were being surveilled through SpyX). Troy Hunt provided the iCloud credential list to Apple before public disclosure, and Apple subsequently confirmed that fewer than 250 iCloud users were still affected by valid credentials at the time of Apple's intervention. For surveillance targets and customers alike, the practical risk profile is exceptionally severe. For surveillance targets whose Apple devices were being monitored through SpyX, the iCloud credential exposure creates ongoing account takeover risk that extends beyond SpyX itself, because the iCloud credentials may grant access to the target's email, messages, photos, contacts, calendar, and other Apple ecosystem data even if SpyX itself is removed. Affected Apple users should immediately change their Apple Account password, enable two-factor authentication if not already enabled, review and remove unrecognized devices from their Apple Account, and check for unauthorized device backups. The U.S. National Domestic Violence Hotline (1-800-799-7233) and the Coalition Against Stalkerware provide resources for individuals who suspect they may have been monitored. For customers (the people who purchased SpyX to surveil others), the breach exposed their identification as someone who purchased and used surveillance software, with potential employment, relationship, and legal consequences depending on the jurisdiction and the consent status of the surveillance target. The 6-digit PIN format of the customer passwords means brute-force recovery is essentially trivial for any account where the customer reused the same PIN on other services.
ObscureIQ assessment: Extremely sensitive. Exposure can reveal who was monitored and by whom, enabling domestic abuse escalation, stalking, and major privacy and safety harms.
Breach Impact
The institutional impact on SpyX has been moderate given the operator's silence and apparent continued operation. The case has been widely cited as the 25th known consumer-grade mobile surveillance breach since 2017 and as a particularly significant case because of the iCloud credential exposure for monitored Apple device targets. The exposure of iCloud credentials creates an unusual cross-platform risk because the credentials retain value beyond the SpyX surveillance use, potentially supporting account takeover of the targets' broader Apple ecosystem accounts. Apple's intervention to secure affected accounts, coupled with Google's removal of the associated Chrome extension, represents a notable platform-level response to a stalkerware breach. The case has been formally cited in cybersecurity coverage as illustrating the cross-platform reach of consumer-grade stalkerware and the persistent failure of these operators to notify affected populations.
About SpyX
SpyX is a mobile stalkerware application marketed as parental and device-monitoring software for Android and Apple devices, distributed under the spyx.com domain along with two near-identical clone applications branded as MSafely and SpyPhone. The application advertises real-time recording, video and audio capture, and screenshots of the target device, with the platform marketing itself as 'the best phone monitoring App.' For Android targets, SpyX requires physical access to the device to install the application and modify security settings. For Apple targets, SpyX exploits iCloud backups by acquiring the victim's Apple Account credentials, which allows the spyware operator to continuously download the victim's iCloud-stored device data including messages, photos, and app data without requiring physical access to the iPhone or iPad. As a stalkerware platform, SpyX maintains both customer accounts and target-device data including iCloud credentials used to access monitored Apple devices.
Why They Hold Your Data
Covert monitoring platforms collect customer records, target-device identifiers, surveillance settings, and exfiltrated device activity tied to hidden mobile monitoring.
Recent Developments
SpyX did not publicly acknowledge the June 2024 breach for approximately nine months, with neither customers nor surveillance targets receiving any notification before TechCrunch's March 2025 public reporting. SpyX operators did not respond to TechCrunch's requests for comment, and the WhatsApp number listed by SpyX for support was found to be inactive. Apple responded to the disclosure by securing the iCloud accounts of fewer than 250 users whose plaintext credentials remained valid at the time of disclosure, with Apple spokesperson Sarah O'Rourke confirming the action. Google pulled down a Chrome extension associated with the SpyX campaign following the disclosure. Approximately 40 percent of the email addresses in the SpyX dataset were already present in Have I Been Pwned's existing index, indicating substantial overlap with the customer bases of other previously breached stalkerware operations.
Data Points Exposed
5 verified field types
Device Information
Email Address
Geographic Location
IP Address
Password Critical
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:High
Primary downstream threats:
- Credential stuffing against reused passwords across other platforms
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat vectors:
- Device fingerprinting & targeted exploitation
- Phishing, credential stuffing & account takeover
- Pattern-of-life analysis & physical surveillance
- Geolocation & account flagging
- Credential stuffing & account takeover
Threat Actor: Unknown (Troy Hunt received data; Apple/Google notified)
Unknown (Troy Hunt received data; Apple/Google notified)
Misconfiguration
Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.
Recommended Actions
If you believe your information may be included:
Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the SpyX breach?▾
SpyX, a mobile stalkerware application also operating under the clone brands MSafely and SpyPhone, suffered a data breach in June 2024 that was not publicly disclosed by the operator and was first reported by TechCrunch on March 19, 2025 after security researcher Troy Hunt received a copy of the…
What data was exposed?▾
Verified fields include Device Information, Email Address, Geographic Location, IP Address, Password.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation