In what appears to be the more scandalous breach to occur of the course of the past few weeks, Ashley Madison, an online network for married people who want to have an affair, has been hacked, placing the personal data of some of its 37 million users in jeopardy of exposure.
First reported by Krebs on Security, the adult-oriented website confirmed the breach late Sunday evening. Noel Biderman, CEO of Avid Life Media, the Toronto-based firm that owns AshleyMadison.com and several similar sites, revealed to Krebs that the firm was “working diligently and feverishly” to take down ALM’s intellectual property.
“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”
The hackers, identified as the Impact Team, released what appeared to be random pieces of information on user accounts, as well as internal data on Avid Life Media’s servers, employee salaries and network account information. Threatening to release all of the compromised data, the Impact Team have made demands that Avid Life Media shut down Ashley Madison, as well as another Avid Life Media site, Established Men, threatening to release profiles along with “all the secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails”.
The hackers have stated in a lengthy manifesto that accompanied some of the compromised data that Ashley Madison’s “full delete” feature did not wipe user profiles as advertised, despite charging a fee for the profile deletion service. Citing lies told by Avid Life Media to its customers, the hackers allege that although the profile deletion feature promises “removal of site usage history and personally identifiable information from the site”, customer data remains intact and internally accessible to Avid Life Media.
The manifesto states “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Avid Life Media has released a statement apologizing to its customers for the “unprovoked and criminal intrusion” and has said “At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”
Coming off the heels of the recent Adult FriendFinder hack, which exposed customer email addresses, usernames, passwords, birthdays and zip codes, in addition to their sexual preferences, the AM exposure might prove to be a fatal blow to Avid Life Media’s Initial Public Offering (IPO) plans. Compromised data that was leaked following the Adult FriendFinder hack lead to customers being targeted on social media sites like Twitter. Although there have been no revelations of credit card data from the Adult FriendFinder breach, the same cannot yet be said for Avid Life Media.
The Ashley Madison breach is too new to determine what the fallout of the data loss will be, both to Avid Life Media and to its customers. As scandalous as the exposed information may be, there might be some semblance of hope that the cyber-community may start to understand that what they think about privacy, and how company’s protect that privacy are two totally different things. There really is nothing worse than the illusion of being protected from exposure.
In the 1998 film Enemy of the State, Thomas Reynolds, played by Jon Voight, says, “The only privacy that’s left is the inside of your head.” That truth might be realized by some of the 37 million customers whose personal information and possible indiscretions are now in the hands of an entity that does not have their best interests in mind.
Gabe Morales is the Senior Security Manager for Accume Partners and has over 15 years experience in IT Security. He specializes in vulnerability testing, social engineering and security awareness training. He can be followed on Twitter @gmorales63. For more updates check out the Accume Blog. For questions or comments, please email me at firstname.lastname@example.org.