AshleyMadison is a website catering to married people who wish to have an affair. They claim to have 37 million users, and now all of their personal data is in the hands of a hacker group called The Impact Team, which is threatening to expose all those users unless AshleyMadison and a sister site called EstablishedMen are taken down.
The Impact Team has released a small sample of the data it took to prove that it has the goods. The KrebsOnSecurity website, which initially reported the breach, said that data released by the hackers included random samples of user information, plus “leaked maps of internal company servers, employee network account information, company bank account data and salary information.”
The KrebsOnSecurity report says that most known instances of the posted AshleyMadison data had been knocked out within a matter of hours, presumably by law enforcement and/or Avid Life Media’s data security team. However, they speculated the hackers are “planning to publish more for each day the company stays online.”
Not only do they claim to have personal information on the AshleyMadison users, but they also say they have “taken over all systems” at the offices of the website’s owners, Avid Life Media, including “all customer information databases, source code repositories, financial records, and emails.”
“Shutting down AM and EM [AshelyMadison and EstablishedMen] will cost you, but non-compliance will cost you more,” the hackers threatened in a statement. “We will release all customer records, profiles with all the customers’ secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails. Avid Life Media will be liable for fraud and extreme harm to millions of users.”
The hackers described AshelyMadison customers as “cheating dirtbags” who deserve no discretion and warned that “with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
The manifesto was initially displayed on the hacked AshleyMadison website, but it was later returned to its normal appearance and function.
Based on statements from the company, it seems likely the hackers include people who had some sort of information-technology consulting relationship with Avid Life Media, but were not active, direct employees. In fact, KrebsOnSecurity mentions that the hackers went out of their way to apologize to the company’s security director: “Our one apology is to Mark Steele. You did everything you could, but nothing you could have done could have stopped this.”
Gizmodo suggests The Impact Team’s core issue with AshleyMadison is that the website offered a $19 “full delete” feature that was supposed to irretrievably erase all of a user’s profile data… but the hackers say Avid Life Media was lying about this feature’s effectiveness, and information about “full delete” customers remained online, including their real names and billing addresses.
CNN Money relates claims from the hackers that Avid Life Media raked in $1.7 million in revenue last year selling the bogus “full delete” service. The company has challenged the Impact Team’s claims and has responded by saying it would make the “full delete” service free of charge. They also say they have hired “one of the world’s top IT security teams” to deal with the data breach.
NPR mentions that the attack comes at a moment when Avid Life Media has been looking to capitalize on the AshleyMadison brand with a TV show (a drama about people having affairs, “inspired by” what users of the website have said) and a possible $200 million stock offering.
The company vowed to find and prosecute those responsible for the data breach and rushed to assure customers that their information would be kept secure. “Like us or not, this is still a criminal act,” said Avid Life Media chief executive Noel Biderman.
A somewhat similar data breach occurred less than two months ago at the AdultFriendFinder website, resulting in the exposure of personal data on some 3.5 million users. That attack was carried out by an apparently unrelated individual, who worked under the name ROR[RG], and attempted to extort AdultFriendFinder out of $100,000 before releasing the information, according to a CNN report.