SpyX, a "stalkerware" or "spyware" app that watches kids' smartphones, has reportedly suffered a data breach exposing nearly 2 million users.

The breach exposed 1.97 million unique account records, including email addresses, IP addresses, countries of residence, device information and 6-digit PINs in the password field, data-breach trackers Have I Been Pwned reported Wednesday, although the breach occurred in June 2024.

Additionally, a "collection of iCloud credentials likely used to monitor targets directly via the cloud were also in the breach and contained the target's email address and plain text Apple password," said Have I Been Pwned, which received copies of the breached data.

Users can enter their email address on Have I Been Pwned's website to see if their information was exposed.

SpyX didn't immediately respond to ConsumerAffairs's request for comment.

Risks of spyware apps

The breach shows how spyware apps, which are used to track locations, calls, texts, social media and other activities, are increasingly putting people's data at risk.

SpyX marks the 25th data breach among surveillance apps since 2017, TechCrunch reports.

SpyX is among surveillance apps advertised to parents that can be installed on smartphones without an owner's knowledge, but such apps can also be used to track spouses, which is typically illegal without permission.

"The irony of an entity purporting to offer surveillance capabilities itself falling prey to a breach is not lost with this one," said Javvad Malik, lead security awareness advocate at cybersecurity firm KnowBe4, in comments provided to ConsumerAffairs. "This breach not only exposes the victims to further risks but starkly highlights the inherent vulnerabilities within these spyware operations."

TechCrunch has a guide for removing spyware apps from Android devices.

For Apple users, TechCrunch said that users should remove devices from their account they don't recognize.

