[BreachExchange] A Hacker Has Wiped a Spyware Company’s Servers—Again

Destry Winant destry at riskbasedsecurity.com
Fri Feb 16 21:34:28 EST 2018


Last year, a vigilante hacker broke into the servers of a company that
sells spyware to everyday consumers and wiped their servers, deleting
photos captured from monitored devices. A year later, the hacker has
done it again.

Thursday, the hacker said he started wiping some cloud servers that
belong to Retina-X Studios, a Florida-based company that sells spyware
products targeted at parents and employers, but that are also used by
people to spy on their partners without their consent.

Retina-X was one of two companies that were breached last year in a
series of hacks that exposed the fact that many otherwise ordinary
people surreptitiously install spyware on their partners’ and
children’s phones in order to spy on them. This software has been
called “stalkerware” by some. This spyware allows people to have
practically full access to the smartphone or computer of their
targets. Whoever controls the software can see the photos the target
snaps with their phone, read their text messages, or see what websites
they go to, and track their location.

A Retina-X spokesperson said in an email Thursday that the company
hasn’t detected a new data breach since last year. Friday morning,
after the hacker told us he had deleted much of Retina-X’s data, the
company again said it had not been hacked. But Motherboard confirmed
that the hacker does indeed have access to its servers.

Friday, Motherboard created a test account using Retina-X’s
PhoneSheriff spyware in order to verify the hacker’s claims. We
downloaded and installed PhoneSheriff onto an Android phone and used
the phone’s camera to take a photo of our shoes.

“I have 2 photos of shoes,” the hacker told us moments later.

The hacker also described other photos we had on the device, told us
the email account we used to register the account, and then deleted
the data from our PhoneSheriff account.

“None of this should be online at all,” the hacker told Motherboard,
claiming that he had deleted a total of 1 terabyte of data.

“Aside from the technical flaws, I really find this category of
software disturbing. In the US, it's mainly targeted to parents,” the
hacker said, explaining his motivations for going after Retina-X.
“Edward Snowden has said that privacy is what gives you the ability to
share with the world who you are on your own terms, and to protect for
yourself the parts of you that you're still experimenting with. I
don't want to live in a world where younger generations grow up
without that right.”

In the first Retina-X data breach last year, the hacker was able to
access private photos, messages, and other sensitive data from people
who were monitored using one of Retina-X’s products. The private data
was stored in containers provided by cloud provider Rackspace. The
hacker found the key and credentials to those containers inside the
Android app of PhoneSheriff, one of Retina-X’s spyware products. The
API key and the credentials were stored in plaintext, meaning the
hacker could take them and gain access to the server.

This time, the hacker said the API key was obfuscated, but it was
still relatively easy for him to obtain it and break in again. Because
he feared another hacker getting in and then posting the private
photos online, the hacker decided to wipe the containers again.

Shortly after Motherboard first reported the Retina-X breach in
February of last year, a second hacker independently approached us,
and said they already had been inside the company’s systems for some
time. The hacker provided other internal files from Retina-X, some of
which Motherboard verified at the time.

Answering a series of questions about what Retina-X changed after last
year’s hack, a spokesperson wrote in an email that “we have been
taking steps to enhance our data security measures. Sharing details of
security measures could only serve to potentially compromise those

“Retina-X Studios is committed to protecting the privacy of its users
and we have cooperated with investigating authorities,” the
spokesperson wrote. “Unfortunately, as we are well aware, the
perpetrators of these egregious actions against consumers and private
companies are often never identified and brought to justice.”

At the end of 2016, the hacker gained access to the servers of
Retina-X, which makes several spyware products, and started collecting
data and moving inside the company’s networks. Weeks later, the hacker
shared samples of some of the data he accessed and stole with
Motherboard. But he didn’t post any of it online. Instead, he wiped
some of the servers he got into, as the company later admitted in
February of 2017.

The new alleged hack comes just a few days after the hacker resurfaced
online. At the beginning of February, the hacker started to dump
online some of the old data he stole from Retina-X in late 2016. The
hacker is now using a Mastodon account called “Precise Buffalo” to
share screenshots recounting how he broke in, as well as raw data from
the breach, though no privata data from victims and targets.

In February of 2017, a Motherboard investigation based on data
provided by hackers showed that tens of thousands of people—teachers,
construction workers, lawyers parents, jealous lovers—use stalkerware
apps. Some of those people use the stalkerware apps to spy on their
own partners without their consent, something that is illegal in the
United States and is often associated with domestic abuse and

Retina-X was not the only spyware company hacked last year. Other
hackers also breached FlexiSpy, an infamous provider of spyware that
has actively marketed its apps to jealous lovers. At the time, the
hackers promised that their two victims—FlexiSpy and Retina-X—were
only the first in line, and that they would target more companies that
sell similar products.

More information about the BreachExchange mailing list