Cheating Site Ashley Madison Hacked….. Threats Of Massive Data Dump Ensue [UPDATED x2]

Whatever it is that you decide to do in your personal life is your business. So when I got wind of cheating website Ashley Madison getting hacked I had to immediately post a story on it as a lot of people’s private details may become public shortly. Here’s what security expert Brian Krebs had to say:

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”

The data released by the hacker or hackers — which go by the name The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Now here’s where the story starts to get interesting. A group calling itself The Impact Team have claimed responsibility for the hack and said this:

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

Lovely. So this isn’t just a hack. It’s extortion. And it may be an inside job. Here’s what the CEO of Avid Life Media Noel Biderman, who did not deny that his sites had been hacked had to say:

ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterized as ongoing and fast-moving. But he did suggest that the incident may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks — perhaps a former employee or contractor.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

This is something that I always tell my corporate customers when they ask me for advice on how to improve their IT security. Focus on your employees because you are one disgruntled employee away from a disaster of some sort. The thing is, the story also details how security was top of mind with employees, but this hack still happened anyway. That’s a #fail.

So, I am willing to bet on two things. First, this story isn’t over yet. Second, flower and jewelry sales are about to skyrocket.

UPDATE: ALM has released a statement that says all the usual things (we’re sorry, we did our best, our IT security doesn’t suck, we called the cops, have faith in us, don’t stop giving us money, etc.). Cold comfort to those who’s lives may get turned upside down. There’s also this interesting tidbit:

Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.

As our customers’ privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today’s news.

Hmmm….. My first thought upon reading this is that what the hackers said about ALM might actually have some truth to it. My second thought is deleting info now doesn’t really help any of their customers now. After all, the metaphorical horse has left the metaphorical barn already.

UPDATE #2: The data dump has happened.