Site for cheaters faces a massive hack that threatens to reveal users’ details. Flower shops and jewelers brace for wave of orders to angry spouses
In a reminder that nothing on the Internet is ever truly safe from prying eyes, the matchmaker site that helps married users seek out affairs, Ashley Madison, admitted on Tuesday that they were the victim of a massive hacking. According to the hackers’ initial reports as published in the online cybersecurity site KrebsOnSecurity, the attack compromised the personal details of an estimated 37 million users.
‘The Impact Team’ is the name of the group claiming responsibility for the hack of Toronto based Avid Life Media’s (ALM) extensive database, which runs Ashley Madison (AM). They have demanded that the company cease operations for AM and another site called Established Men, threatening to expose all of their stolen data, which includes users’ real names along with other intimate and harmful details. For several hours on Tuesday, the site was down. It was unclear whether this was due to technical issues or in response to the threats.
At this point, it is believed that only a small number of the overall users’ profiles have had their details actually posted online. In the report from KrebsOnSecurity, the hackers have said that they will release the remainder of the user data should the company refuse to comply with their demand.
Earlier Tuesday, after the The Impact Team posted that they took responsibility for the attack, ALM issued a statement acknowledging that their systems had been breached. Hours later, they followed up with another release, saying that, ‘Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.’
Identifying the culprit – from the inside
In the meantime, the team over at ALM is working with the cybersecurity firm Cycura to remove as much of the leaked information that has been posted so far as possible. In addition to the attempt at damage control, the search for perpetrators is already in hot pursuit. Noel Biderman, who serves as the Chief Executive at ALM, told KrebsOnSecurity that, “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
Most of the indications that have turned up so far in the investigation have pointed to an inside job of sorts. While Biderman has stated that he does not believe the hacker to be an employee, he does seem to be pointing at someone who has had access to the company’s internal network.
One of the various issues that the hackers brought up in the complaints against ALM was their service option called Full Delete. Users can pay $19 to have all of their user data removed, which is a useful feature should a user need to cover up their tracks. However the hackers claim that the company does not fully delete the user data, keeping important information such as real names, credit card details, and other identifying materials in their system. This emphasis on the ALM’s failure to erase user data while profiting from Full Delete package sales could point to one of the hacker’s primary motives.
Does real privacy exist online?
It used to be said that on the Internet, nobody knows that you are really a dog. Now between services like Facebook and other sites where we build profiles, users voluntarily expose massive amounts of information to anybody who is ready to search for it. Some sites such as Ashley Madison claim to offer anonymity along with convenience for those looking to step out on their significant others. But as the recent hacking of hookup site AdultFriendFinder two months ago showed, even some of the bigger networks are at high risk for attacks.
From a security perspective, there appears to be a real rise in the number of ransomware attacks wherein hackers attain important data and then threaten to destroy or release it if their demands are not met, posing significant risks to companies and governments who have large sensitive databases. If the suspicion that the hackers did in fact have a prior relationship with ALM, it could highlight a continued weakness of many IT systems: While they have a hard shell against outside attacks, they are still vulnerable to internal penetrations.
It is worth remembering that Bradley (Chelsea) Manning of WikiLeaks fame stole hundreds of thousands of secret documents by downloading them onto CDs. Hopefully this case will be a good reminder of the limits of any cyber security system.
Meanwhile for Ashley Madison users, whose slogan is ‘Life is short. Have an Affair,’ we hope it was fun while it lasted.