The reports of a FlexiSPY ‘hack’ have been greatly exaggerated, but first, some context.
The report was broken by a blogger who — as evidenced by intercepted communication from a recovered twitter account — had a 6-week exclusive agreement with an obsessed criminal ‘hacker’ to document the scheduled “burning to the ground” of FlexiSPY. An unidentified and clearly disgruntled ex-employee is also featured in the very first report.
These intercepted communications also show that the criminal — who has gone by the Twitter handle @dontfeelsecure — also offered to provide, in his own words, “raw data”, belonging to children and employers to a German reporter.
Yet, the story is unusual and almost extraordinary on many levels.
From the premeditated collusion of criminal and blogger to the ad hominem and virtue-signaling justifications used by both the criminal and employee — something did not seem to add up.
Which is why we have waited until we believed all the data that was promised to be leaked to the blogger was available.
Assuming that we have reached that point, we can state that through examining the data that was leaked by the criminal — we find no evidence of a Customer Monitoring Data (CMD) breach. The leaks that do exist are very old internal company documents archives, including anonymous newsletter subscriber email lists. More on these lists later on.
For clarification, CMD data is collected from customer devices and is totally different to internal documents — which are kept on a completely separate physical and security domain, and are accessed by employees with authorization levels
A series of stories written by the blogger then followed — including statements from FlexiSPY customers who appear to have been identified — not by the loss of CMD, but instead by the use of phishing emails sent to mailing list subscribers from entities connected to the collusion.
In other words, this is a leak of internal documents, not a wholesale hack into the customer monitoring data.
Like most prudent companies who need to track internal documents, we have extensive Employee Monitoring Software installed on the employee network — and from this system we have ascertained that an ex-employee used an unauthorized MacBook to install tools and copy files. The employee has been identified and details have been passed to the police.
To our customers — your monitoring data was never at risk — and it was only company archives that were stolen as a result of insider theft by a disgruntled employee. In addition, using the evidence available and applying the Occam’s Razor principle — we believe that the ex-employee and the hacker are one and the same.
However, we are far from complacent, and we want to assure our customers that this incident has energized us to look at our internal security. We have improved our systems — adding multiple subnet isolation, implementing across the board two-factor authentication and deploying employee monitoring integrated biometric authentication for all applications and websites — as well as an ongoing bug bounty program open to white hat hackers.
As hundreds of companies from Apple to Citibank and Netflix who have actually been hacked will testify — the Internet is a jungle and breaches are a not a matter of if, but when. Experts and victims alike will tell you that while the majority of cyber-attacks are from outside — it’s the insider threat that causes the most damage.
This should be a wake-up call for all businesses who hold customer data but feel that insider theft is not a likely scenario for them.
To discourage future criminals — we are announcing a $50,000 USD reward for information that results in the conviction of the criminal. If you have any verifiable evidence as to the identity of the hacker, and proof of his actions, please get in touch and help us bring him to justice.
While the criminal may be entitled to his own opinions, he is not entitled to his own facts — and it is a fact that FlexiSPY products are legal. He is certainly not entitled to break the law, potentially placing the lives of Parents, Children, Employers and Employees in danger, simply to settle an imaginary score.
Which brings us to this blogger and his narrative of a shadowy company enabling domestic violence being brought to justice by a noble cyber vigilante. This narrative — formed by blending historical FlexiSPY marketing, clickbait headlines, mock outrage, anonymous sources, slurs, and insinuations — designed to transform a niche interest story of insider theft, into a piece of pulp fiction.
To be fair, the perennial question of our historical advertising is the only thing the media enquiries we receive seem to care about — and we give the same reply.
We are against domestic violence, stalking or any other nefarious use and the majority of our users subscribe for legitimate reasons. Like any tool, FlexiSPY can be misused, and in those cases, like Google and Apple, we have worked with law enforcement to assist them with their inquiries, as long as they have the appropriate legal justification.
We have never denied our historical website advertising — which addressed issues of genuine concern to large conservative and Christian groups that prohibit infidelity — but the fact is that this advertising was dropped a long time ago and no longer exists.
However, the current reality of our products and marketing do not suit the blogger’s needs. They continue to frame stories with this fake narrative and are now relegated to relying on old screen grabs, google caches and vestigial pages to justify their positions.
What these people do is their business, but it is our silence that has allowed their falsehoods to go unchecked.
We therefore challenge anyone throwing around accusations, or indulging in name calling — if you truly believe we’re doing something illegal, then provide us with a factual legal argument from a competent authority, or STFU.