Cyber Incident Victim: Retina-X Studios
Date:
Feb 2018
Location:
United States of America
Summary
A hacker repeatedly breached a spyware company's servers, deleting sensitive data including private photos and messages collected from monitored devices. The attacker exploited vulnerabilities in the company's products, initially accessing cloud storage through plaintext credentials embedded in an Android app and later bypassing obfuscated API keys. Motivated by ethical objections to non-consensual surveillance software, the hacker wiped terabytes of victim data to prevent exposure by malicious actors. Independent verification confirmed unauthorized access despite the firm's public denials of compromise. The incidents highlighted persistent security failures in systems designed for covert monitoring, with stored data remaining vulnerable to extraction and deletion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2016, a hacker infiltrated Retina-X Studios' servers, gaining prolonged access to the company's networks and spyware data storage systems. The attacker collected sensitive information from monitored devices, including private photos, messages, and location data belonging to individuals targeted through Retina-X's products such as PhoneSheriff. By February 2017, the hacker shared breach samples with Motherboard but refrained from public data leaks, instead choosing to wipe portions of the compromised servers. Retina-X subsequently acknowledged this breach. Motherboard's analysis of the stolen data revealed tens of thousands of stalkerware users across professions including teachers, construction workers, and lawyers, with many deploying the software illegally to surveil partners without consent—a practice linked to domestic abuse.
The hacker resurfaced in February 2018, breaching Retina-X's cloud servers again despite the company's claims of enhanced security measures. Exploiting an obfuscated but still retrievable API key within PhoneSheriff's Android app—similar to the plaintext credential vulnerability from the 2016 breach—the attacker deleted approximately 1 terabyte of victim data stored on Rackspace cloud containers. Motherboard verified the breach by creating a test PhoneSheriff account; the hacker accurately described photos and registration details from their monitored device before deleting the data. Retina-X initially denied both the breach and data deletion, despite evidence confirming the hacker's access. The attacker cited ethical opposition to stalkerware's privacy violations as motivation, referencing Edward Snowden's views on personal privacy rights. Concurrently, a second unidentified hacker contacted Motherboard with additional internal Retina-X files, indicating persistent security weaknesses. The company declined to specify remediation steps, stating only that it had cooperated with authorities and enhanced data protections without providing technical details.