Hacker claims spyware maker Retina-X has been breached, again

Some hackers seem to have a problem with spyware.

Perhaps they don’t like the idea of “[living] in a world where younger generations grow up without privacy,” as one hacker told Motherboard after he allegedly hoovered out a spyware company’s servers… for the second time in about a year.

Last year, the hacker turned vigilante. He broke into servers belonging to Retina-X Studios, a Florida-based company that sells spyware products to keep tabs on kids and employees (the “legal” targets of covert surveillance).

He said he had found the key and credentials he needed to start the attack inside the Android version of the company’s Teenshield app.

Having gained access, he claims to have taken customer account logins, as well as data from the devices of people monitored by a Retina-X product called PhoneSheriff: private photos, messages, alleged GPS locations and more. He didn’t post any of it online, he says, though he did claim to have wiped some of the servers he’d been rooting around in.

Retina-X confirmed this first breach, classifying it as a “fairly sophisticated” attack while also minimizing it as “a weakness in a decompiled and decrypted version of a now-discontinued product.”

The same hacker now alleges that he’s returned to haunt Retina-X despite it taking “steps to enhance our data security measures”. Motherboard reports that Retina-X disagrees:

Friday morning, after the hacker told us he had deleted much of Retina-X’s data, the company again said it had not been hacked. But Motherboard confirmed that the hacker does indeed have access to its servers.

The publication says it verified the breach by downloading the PhoneSheriff app on to an Android phone and then using the phone to take photos of their shoes. This is what the hacker messaged editorial staff moments later:

I have 2 photos of shoes.

Retina-X isn’t the first spyware maker to have been breached.

FinFisher, which specializes in government spyware that’s infamous for being used to spy on dissidents, was hacked in August 2014, while the infamous keylogger/stalkerware maker FlexiSpy was ransacked in April 2017.

Regardless of how spyware marketing has been smoothed over – as in, “hey guys, let’s drop the references to cheating spouses and emphasize the legality of spying on kids and employees” – the fact remains that covert surveillance tools are popular with people spying on unwitting partners.

Unsurprising, given their feature set.

Spyware apps like FlexiSpy – that can log keystrokes and tap into mics, calls, stored photos, text messages, email and even encrypted messages from apps such as WhatsApp – are cited by an overwhelming majority of survivors of domestic violence.

The majority of abusers train such tools on their victims’ whereabouts, communications and activities. A 2014 NPR investigation found that 75% of 70 surveyed domestic violence shelters in the US had encountered victims whose abusers had used eavesdropping apps. Another 85% of surveyed shelters reported that they’d helped victims whose abusers used GPS to track them.

But none of that is justification for hacking companies that are operating legally. The hackers broke the law, and they didn’t help the victims of spyware in the process. They actually could have made things much worse for those victims by telling others how they did it, putting out blueprints and encouraging them to do the same.

For all we know, the hackers weren’t themselves all that benevolent and might well have lied about what they did or didn’t do. Even if their motives were pure who’s to say what mistakes they might have made and what they might have tripped over while roaming around and discovering somebody else’s network.

And will the next hacker through the door be so restrained as to refrain from publishing victims’ personal information?

There are good reasons why unauthorized access to computers, and destruction of data, are illegal – regardless of how distasteful we may find the data that was destroyed.