Image: Rory O'Donnel/Flickr

A Week Later, Hacked Spyware Vendors Haven't Warned Their 130,000 Customers

An alleged email apparently shows one employee explicitly telling staff not to warn customers the company was hacked.

|
Apr 25 2017, 4:30pm

Image: Rory O'Donnel/Flickr

Tens of thousands of people are in the dark.

Motherboard recently reported hackers had targeted two companies that sell spyware to the everyday consumer—Retina-X and FlexiSpy. Hackers made off with a mix of over 130,000 customer records, as well as company documents and even text messages and photos captured by Retina-X's malware.

A week later, and affected customers say neither company has informed them about the data breaches, with one company allegedly telling staff to lie to victims who inquired about the hack.

Ten FlexiSpy and Retina-X customers told Motherboard via email that they had not received any notifications about the hacks.

"Your email is the first I've heard of this," one Retina-X customer said.

"No, PhoneSheriff [one of Retina-X's products] has not told me anything about it," said another.

One person was even a customer of both Retina-X and FlexiSpy.

"I haven't received any notification or communication from either company about their data breaches or the fact that my details were compromised," the customer said.

Both companies sell malware marketed to monitor children or employees, and in FlexiSpy's case, to spy on spouses. However, consumer malware has repeatedly appeared in cases of domestic violence.

The type of data obtained by hackers. Image: Motherboard

At least in Retina-X's case, the lack of customer outreach doesn't appear to be down to incompetence. An alleged email obtained by Motherboard seems to show a Retina-X employee telling staff not to inform customers about the hack, even when specifically asked for details.

"If any visitor asks if we have been hacked, then let them know this: Our server was not wiped because of a hack. We had a corrupted OS due to a hard disk failure. The drive had to be reformatted and reloaded for the server. Everything is running fine," the employee, called Arun, writes. Motherboard verified that the mail server mentioned in the email's headers was accurate.

A Retina-X customer support representative gave that exact same response during a live chat, according to someone who posed as a customer and asked about the hack. 

"Please make sure you all are aware of the appropriate response. The response is only for those who specifically mention a 'hack' or 'data breach'. A simple mention of downtime or inability to login should NOT receive this response. Please make sure that the response is not sent to someone who did not specifically mention the word 'hack' or 'data breach'," the email continues. When a hacker wiped Retina-X's servers in around February, Retina-X posted a warning to customers, claiming that the company had suffered a hardware failure.

Neither Retina-X or FlexiSpy responded to a request for comment on Tuesday.

UPDATED, May 1, 2:05 p.m. ET: On April 30, Retina-X finally acknowledged the data breach in a blog post. The company said that it was convinced that the "sophisticated" data breach was simply a hardware failure. The company also defended its products, saying they are only intended for legal use.

"Our products are not spyware. Our child and employee monitoring software shows up as an icon and in the Installed Apps list of devices," the company wrote. "There are also notifications to let the user of the device know that activities are being monitored."

Max Hoppenstedt and Lorenzo Franceschi-Bicchierai contributed reporting.

This story has been updated to add that a Retina-X customer support representative reportedly gave someone the same response that the company asked its employees to give in case people asked about the hack.

Subscribe to Science Solved It , Motherboard's new show about the greatest mysteries that were solved by science.