While most companies rush to report security incidents, SpyX took a different approach. The consumer-grade spyware operation suffered a massive breach in June 2024 but kept quiet until March 2025. Nearly 2 million unique account records were exposed. No notifications. No warnings. Just silence. Typical for a company that makes its money helping people spy on others, right?
Nine months of silence after exposing 2 million accounts. Apparently, privacy matters only when it’s their own.
The breach affected SpyX and two related apps, MSafely and SpyPhone. These aren’t your average productivity tools. They’re marketed as “parental control” software but often serve as stalkerware – perfect for the jealous spouse or controlling partner. The software operates completely stealthily on target devices, with no visible icons or notifications to alert victims. What could possibly go wrong?
The exposed data is a privacy nightmare. Email addresses, IP addresses, device information – all out in the open. Worse yet, about 17,000 Apple iCloud credentials were compromised in plaintext. That’s username and password, no encryption, no protection. Just sitting there for anyone to grab and use. Security experts strongly recommend affected users change all passwords immediately and enable two-factor authentication for additional protection.
Troy Hunt, who received the breached data in two text files, added the information to Have I Been Pwned and classified it as “sensitive” – limiting access to affected individuals only. He also shared the compromised Apple credentials with Apple before going public. At least someone’s being responsible.
This marks the 25th mobile surveillance operation to suffer a data breach since 2017. You’d think they’d be better at security, considering their business model. Apparently not.
For the 40% of affected users whose email addresses were already listed in Have I Been Pwned, this is just another day ending in “y.” For everyone else, welcome to the club. Such breaches frequently result in keylogging attacks that can silently capture sensitive financial information from victims.
Google has removed a Chrome extension associated with SpyX. Too little, too late for those exposed. The breach highlights the inherent risks of consumer-grade spyware – not just for the victims being monitored, but for the users doing the spying. Ironic, isn’t it?
