Ashley Madison hack steals 37 million cheaters' details

The Impact Team attackers claim to have full customer and employee databases

Ashley Madison, a website that describes itself as "the world's leading extra-marital dating site" has suffered a massive data breach, which has allegedly compromised the details of all 37 million of the site's users.

The site, which in January claimed to have seen "a membership spike 621 per cent higher than the UK daily average of new sign-ups", is owned by Avid Life Media (ALM), which also owns hook-up sites Established Men (EM) and Cougar Life.

The hack has been claimed by a group called The Impact Team, which left a message on the Ashley Madison website stating: "We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records, emails."

"Trevor [Stokes], ALM's CTO once said 'protection of personal information' was his biggest 'critical success factors' and 'would hate to see our systems hacked and/or the leak of personal information," the message continued.

"Well Trevor, welcome to your worst ... nightmare. We are the Impact Team. We have hacked them completely."

According to security researcher Brian Krebs, it is "unclear how much of the AshleyMadison (sic) user data has been posted online".

"For now, it appears the hackers have published a relatively small percentage of AshleyMadison (sic) user account data and are planning to publish more for each day the company stays online," he added.

Motive

The motivation for the attack seems to be twofold. On the one hand, the hackers seem to have targeted the firm because it allegedly failed to fully delete user data, despite charging for this service.

"Full Delete netted ALM $1.7mm (sic) in revenue in 2014. It's also a complete lie. Users amost always pay by credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information they want removed," the hackers stated.

On the other hand, there also seems to be a moral element, with Impact Team referring to EM as "a prostitution/human trafficking website" and Ashley Madison's male users as "cheating dirtbags [who] deserve no such discretion".

In a statement, ALM said it has "successfully removed all the posts related to this incident as well as Personally Identifiable Information (PII) about users published online".

"Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available," it added.

Culprits uncovered?

According to Brian Krebs, ALM's CEO, Noel Biderman declined to discuss the specifics of the investigation but told Krebs the incident "may have been the work of someone who at least one time had legitimate, inside access to the company's networks".

"We're on the doorstep of [confirming] who we believe is the culprit," Biderman told Krebs. "I've got their profile right here in front of me, all their work credentials. It was definitely a person here that was not an employee, but certainly had touched our technical services."

However, security researcher Graham Cluley told IT Pro: "It would certainly be surprising for any company which has been hacked to be able to assert with any confidence that it knew who had hacked its systems after such a short period of time."

"Even if a past contractor's login details had been used, that doesn't necissarily mean that it was that ex-contractor who accessed the system," he added.

Customer action

When it comes to potential ultimate victims, Ashley Madison's users, Cluley told IT Pro: "Clearly anyone who shared their details with Ashley Madison needs to be on their guard about unsolicited emails, and be aware that criminals might attempt to use the information for the purposes of fraud, embarrasment or blackmail."

Chris Boyd, malware intelligence analyst at Malwarebytes agreed, added: "With so many ways to exploit this data dump, from blackmail to trolling, it was always going to be a potential disaster waiting to happen - and with up to 37m people facing their information being laid bare, it's going to be quite a nervous start to the week for many."

The hack comes after 3.9 million users of adult hook-up site AdultFriendFinder had their details posted online, including their sexual orientations and sexual preferences, in an attack in May.

UPDATE: In response to the hack, Ashley Madison is now offering its full delete option free of charge.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Pixlr data breach exposes over 1.9 million user records
data breaches

Pixlr data breach exposes over 1.9 million user records

22 Jan 2021
Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021
Parler suffers data leak before being taken offline
social media

Parler suffers data leak before being taken offline

12 Jan 2021
United Nations suffers potential data breach
data breaches

United Nations suffers potential data breach

11 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021