Divorce lawyers may be happy today, but the outlook for about 37 million married cheaters to have a great day is doubtful since online cheating site Ashley Madison was hacked and the attackers threatened to release all customer records, profiles with secret sexual fantasies, nude pictures, conversations, as well as real names and addresses via credit card transactions if their demands are not met.
Ashley Madison’s slogan, “Life is short. Have an affair,” was replaced by a message from the Impact Team hacking group to Ashley Madison’s parent company Avid Life Media (ALM). That message stated:
ALM runs Ashley Madison, the internet’s #1 cheating site, for people who are married or in a relationship to have an affair. ALM also runs Established Men, a prostitution/human trafficking website for rich men to pay for sex, as well as Cougar Life, a dating website for cougars, Man Crunch, a site for gay dating, Swappernet for swingers, and The Big and The Beautiful, for overweight dating.
The Impact Team demanded for ALM to immediately and permanently shut done Ashley Madison and Established Men or else the hacking group will release all customer data which includes nude photos, sexual fantasies and credit card data which will reveal real names and addresses of Ashley Madison’s 37 million cheaters.
The hackers quoted ALM chief technology officer Trevor Stokes as previously saying, “I would hate to see our systems hacked and/or the leak of personal information.” They then welcomed Stokes to his worst flipping nightmare.
The Impact Team, according to Krebs on Security, added:
Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.
The Impact Team released about 40MB of data as proof of the hack, according to CSO’s Steve Ragan. The group’s statement included:
We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never p*ssed anyone off.
The attackers seemed especially riled up by alleged ALM “lies,” including the $19 “full delete” service offered by Ashley Madison to wipe adulterous users’ info from its site. Although the company made $1.7 million for the “delete” service in 2014, the Impact Team claimed only the profile information is removed, but credit card info linked to real names and billing addresses are not deleted.
ALM Chief Executive Noel Biderman confirmed the hack to KrebsOnSecurity, adding that the company was “working diligently and feverishly” to remove ALM’s intellectual property. “We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”
ALM released a statement claiming it “had stringent security measure in place,” but those “security measures have unfortunately not prevented this attack.” ALM apologized for the “unprovoked and criminal intrusion” before adding, “The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism.” Near the close of the statement however, the terminology switched from cyber-vandalism to cyber–terrorism. “We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”
Your extramarital affairs were not discrete even before the breach
Troy Hunt, Microsoft MVP for developer security, warned that “your affairs were never discrete” because “Ashley Madison always disclosed customer identities.” To set the stage, Hunt explained that after the Adult Friend Finder breach went public, he loaded the data to Have I been pwned? In response, he received some emails asking him to remove the person’s email address from the list and one demanding he remove an email from the database or the person would “seek legal counsel.” The thing that struck Hunt was “these guys think that their presence on the site was only disclosed because of a data breach!” Hunt then uses Ashley Madison to demonstrate his point.
Hunt entered a bogus email address on Ashley Madison’s password reset form; it asks the person to enter the email associated with their account in order to send the login info to that email address. There’s a send button and the message, “Thank you for your forgotten password request. If that email address exists in our database, you will receive an email to that address shortly.”
It’s a good response, according to Hunt, since it “doesn’t deny the presence of the account.” Nine out of 10 times, Hunt said sites will say the bogus email addy doesn’t exist – which exposes that an email address does exist by giving a different message.
Next he created a test account on Ashley Madison and then tried the password reset option. The forgotten password request message was the same, “but the text box and send button have been removed! The developers somehow managed to snatch enumeration defeat from the hands of victory!”
So here’s the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable. It doesn’t take a data breach, sites will frequently tell you either directly or implicitly. Moral judgement about the nature of these sites aside, members are entitled to their privacy. If you want a presence on sites that you don’t want anyone else knowing about, use an email alias not traceable back to yourself or an entirely different account altogether.