Ashley Madison hack steals 37 million cheaters' details

The Impact Team attackers claim to have full customer and employee databases

Ashley Madison, a website that describes itself as "the world's leading extra-marital dating site" has suffered a massive data breach, which has allegedly compromised the details of all 37 million of the site's users.

The site, which in January claimed to have seen "a membership spike 621 per cent higher than the UK daily average of new sign-ups", is owned by Avid Life Media (ALM), which also owns hook-up sites Established Men (EM) and Cougar Life.

The hack has been claimed by a group called The Impact Team, which left a message on the Ashley Madison website stating: "We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records, emails."

"Trevor [Stokes], ALM's CTO once said 'protection of personal information' was his biggest 'critical success factors' and 'would hate to see our systems hacked and/or the leak of personal information," the message continued.

"Well Trevor, welcome to your worst ... nightmare. We are the Impact Team. We have hacked them completely."

According to security researcher Brian Krebs, it is "unclear how much of the AshleyMadison (sic) user data has been posted online".

"For now, it appears the hackers have published a relatively small percentage of AshleyMadison (sic) user account data and are planning to publish more for each day the company stays online," he added.

Motive

The motivation for the attack seems to be twofold. On the one hand, the hackers seem to have targeted the firm because it allegedly failed to fully delete user data, despite charging for this service.

"Full Delete netted ALM $1.7mm (sic) in revenue in 2014. It's also a complete lie. Users amost always pay by credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information they want removed," the hackers stated.

On the other hand, there also seems to be a moral element, with Impact Team referring to EM as "a prostitution/human trafficking website" and Ashley Madison's male users as "cheating dirtbags [who] deserve no such discretion".

In a statement, ALM said it has "successfully removed all the posts related to this incident as well as Personally Identifiable Information (PII) about users published online".

"Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available," it added.

Culprits uncovered?

According to Brian Krebs, ALM's CEO, Noel Biderman declined to discuss the specifics of the investigation but told Krebs the incident "may have been the work of someone who at least one time had legitimate, inside access to the company's networks".

"We're on the doorstep of [confirming] who we believe is the culprit," Biderman told Krebs. "I've got their profile right here in front of me, all their work credentials. It was definitely a person here that was not an employee, but certainly had touched our technical services."

However, security researcher Graham Cluley told IT Pro: "It would certainly be surprising for any company which has been hacked to be able to assert with any confidence that it knew who had hacked its systems after such a short period of time."

"Even if a past contractor's login details had been used, that doesn't necissarily mean that it was that ex-contractor who accessed the system," he added.

Customer action

When it comes to potential ultimate victims, Ashley Madison's users, Cluley told IT Pro: "Clearly anyone who shared their details with Ashley Madison needs to be on their guard about unsolicited emails, and be aware that criminals might attempt to use the information for the purposes of fraud, embarrasment or blackmail."

Chris Boyd, malware intelligence analyst at Malwarebytes agreed, added: "With so many ways to exploit this data dump, from blackmail to trolling, it was always going to be a potential disaster waiting to happen - and with up to 37m people facing their information being laid bare, it's going to be quite a nervous start to the week for many."

The hack comes after 3.9 million users of adult hook-up site AdultFriendFinder had their details posted online, including their sexual orientations and sexual preferences, in an attack in May.

UPDATE: In response to the hack, Ashley Madison is now offering its full delete option free of charge.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Indiana notifies 750,000 after COVID-19 tracing data accessed
data breaches

Indiana notifies 750,000 after COVID-19 tracing data accessed

18 Aug 2021
Pearson fined $1 million for downplaying severity of 2018 breach
data breaches

Pearson fined $1 million for downplaying severity of 2018 breach

17 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021