Apple
Apple has been named in 5 documented digital harm incidents. The most common harm domain is Privacy & Surveillance, followed by Fraud & Financial.
Documented Incidents
5AI voice‑cloning scam targets Alabama grandparents over bail money
Scammers used AI‑generated voice technology to impersonate the great‑grandson of Frank and Alice Boren in Birmingham, Alabama, claiming he was injured and needed bail. The fraudsters provided a case number and attorney name, demanding over $11,000 before the family recognized inconsistencies. The incident was highlighted by the Alabama Securities Commission and demonstrated by InventureIT researcher Kevin Manning. Authorities warn that similar AI‑driven impersonation scams are rising nationwide.
Alvi Choudhury wrongfully arrested after Thames Valley Police facial recognition misidentification
Alvi Choudhury, a 26-year-old software engineer from Southampton, was wrongfully arrested on January 7, 2026 by Hampshire Constabulary acting on behalf of Thames Valley Police. TVP's retrospective facial recognition system matched Choudhury's mugshot — taken during a prior false arrest in 2021 — to CCTV footage of a thief who stole £3,000 and jewellery from a Milton Keynes Buddhist temple in December 2025. Choudhury was held in custody for approximately 10–11 hours before being released without charge after detectives reviewed his alibi. He had never visited Milton Keynes. TVP acknowledged the facial recognition system provided an initial match but stated the arrest decision was based on officers' own visual assessment. Choudhury, who is of South Asian descent, noted the suspect in the footage looked significantly different from him and has called for legislation governing police use of AI facial recognition. The software has a documented 4% false match rate for Asian faces versus 0.04% for white faces.
Stalkerware apps Cocospy and Spyic data breach exposes 2.65 million user accounts
Security researchers discovered a vulnerability in the stalkerware apps Cocospy and Spyic that allowed anyone to download personal data, including messages, photos, call logs and the email addresses of registered users. By exploiting the flaw, they scraped roughly 1.81 million Cocospy and 880,000 Spyic email addresses (about 2.65 million unique accounts) and shared the list with the Have I Been Pwned service. The apps route traffic through Cloudflare and store data on Amazon Web Services, and the breach is linked to the China‑based developer 711.icu; the operators have not responded to requests for comment and the bug remains unpatched.
NSO Group Found Liable for WhatsApp Pegasus Spyware Hacking in U.S. Court
NSO Group, a commercial spyware company, was found liable in a U.S. court for hacking WhatsApp users through its Pegasus software. The ruling marks the first time a spyware company has been held legally accountable in the U.S. for such actions. New evidence revealed that NSO used U.S.-based servers to deploy the spyware, leading to a $167 million damages verdict. The case involves Meta, Apple, and the Knight First Amendment Institute.
SpyX stalkerware data breach exposes nearly 2 million users and Apple iCloud credentials
In June 2024, the consumer‑grade spyware service SpyX suffered a data breach that was disclosed in March 2025, leaking roughly 1.97 million unique records. The leak included about 17,000 plaintext Apple iCloud usernames and passwords, as well as data from clone apps MSafely and SpyPhone, bringing the total compromised accounts to nearly 2 million. Security researcher Troy Hunt verified the breach through Have I Been Pwned, and Google subsequently removed a related Chrome extension. Affected users were urged to change passwords and enable multi‑factor authentication.