Cheating website AshleyMadison.com–motto: “Life is short. Have an affair.”–has been hit by a massive security breach, and hackers are threatening to expose the personal information of 37 million of the site’s unfaithful users.
According to web security blog Krebs on Security, a hacking group calling itself the “Impact Team” has already leaked a large trove of the hookup website’s data online. The group claims it has complete access to the company’s user databases and personal information as well as financial records and other information.
The group wants AshleyMadison and another website, Established Men, both owned by a company called Avid Life Media, taken completely offline, or else they’ve threatened to “release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the group wrote. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
In a statement published alongside the data, the Impact Team said the reason for the hack was a feature on the website called “Full Delete,” where users could pay $19 to have all of their personal information scrubbed from the website.
But the hackers claim AshleyMadison didn’t follow through on its promise, and users’ information remained on the site’s servers after payment.
“Full Delete netted ALM $1.77mm in revenue in 2014. It’s also a complete lie,” the group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
In a statement to Krebs, Avid Life Media CEO Noel Biderman confirmed the hack and said security teams were working to identify the individuals responsible.
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman told Krebs. “I’ve got their profile right in front of me, all their work credentials. “It was definitely a person here that was not an employee but certainly had touched our technical services.”
Avid Life Media apologized for the breach in a statement, and said it was working “feverishly and diligently” to protect users’ information.
“We apologize for this unprovoked and criminal intrusion into our customers’ information,” a spokesman for the company said in a statement. “The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism.”