Spyware breach exposes 2 million records, including Apple users

A data breach at a spyware operation called SpyX has put nearly two million people at risk, including thousands of Apple users. The breach occurred in June 2024 but was not publicly reported until now. There is no evidence that SpyX informed its users about the incident. Troy Hunt, who runs a data breach notification website, received the leaked information. It includes almost two million unique account records and email addresses primarily connected to SpyX. Additionally, it contains records from two similar apps, MSafely and SpyPhone. About 40% of the email addresses were already in Hunt's database of breached accounts. SpyX is marketed as a monitoring tool for parents, but its usage often extends to spying on partners without consent. This practice is mostly illegal. Spyware like SpyX targets both Android and Apple devices. Android users typically have to download these apps from unofficial sources, while Apple users can have their data accessed through iCloud backups using their login information. Hunt found around 17,000 sets of Apple Account usernames and passwords in the leaked data. He verified the authenticity of this information and shared it with Apple before going public. Apple has not commented on the breach. Google has removed a Chrome extension linked to SpyX, emphasizing that their policies prohibit malicious software. They encourage users to take steps to secure their accounts if they suspect a breach. For those concerned they may be affected, it is advised to check for unwanted spyware, change passwords, and enable two-factor authentication. The National Domestic Violence Hotline provides support for victims of abuse, and additional resources are available for those worried about spyware on their devices.