One consumer-grade spying operation, SpyX, suffered a data breach that compromised nearly two million user records. The breach which occurred in June 2024 but was undisclosed recently, has raised a lot of focus related to privacy in mobile surveillance solutions. The hacked information includes email addresses and plaintext iCloud credentials, affecting thousands of Apple device users.
The SpyX operation is part of a rising surveillance software trend called stalkerware that targets individuals without their authorization. An increasing number of individuals use these applications as supposedly parental control tools but abuse them for illicit operations like watching over their spouses and domestic partners. Since 2017 there have been 25 known consumer-grade spyware data breaches demonstrating the rising trends of similar exploits and the associated risks to personal data.
The breach exposed 1.97 million unique account records, most associated with the SpyX app. The compromised data also included email addresses linked to other applications, MSafely and SpyPhone, which share similarities with SpyX. About 40% of the affected email addresses were already listed in the data breach notification service Have I Been Pwned a platform designed to help users identify whether their information has been exposed.
The exposed records included approximately 17000 combinations of Apple iCloud credentials. These credentials contained usernames and passwords in plaintext, highlighting the vulnerability of Apple’s iCloud system.
The spyware program SpyX focuses on iCloud backups to attack Apple users since it differs from similar spyware that targets Android systems. Troy Hunt, the founder of Have I Been Pwned, confirmed the authenticity of the leaked data after reaching out to affected individuals.
SpyX and its clones are typically marketed as mobile monitoring software, primarily for Android and Apple devices. For Android, these applications often require physical access to the target device to install the spyware, which involves disabling security settings. This makes Android users particularly susceptible to physical surveillance.
Apple users encounter different operational methods when it comes to spyware. Spyware accesses victim data through their iCloud credentials without direct installation to obtain messages, photos, and app data. This method allows stalkerware operators to remotely access a person’s personal information without physical access to their device.
Despite the serious nature of the breach, SpyX operators have not responded to inquiries or notified affected users. However, Apple has not provided information about exposing iCloud credentials. To address the issue, security advisors suggest that affected persons immediately secure their accounts and devices, including changing passwords, enabling two-factor authentication, and monitoring account activity for suspicious actions.