Ashley Madison hack steals 37 million cheaters' details

The Impact Team attackers claim to have full customer and employee databases

Ashley Madison, a website that describes itself as "the world's leading extra-marital dating site" has suffered a massive data breach, which has allegedly compromised the details of all 37 million of the site's users.

The site, which in January claimed to have seen "a membership spike 621 per cent higher than the UK daily average of new sign-ups", is owned by Avid Life Media (ALM), which also owns hook-up sites Established Men (EM) and Cougar Life.

The hack has been claimed by a group called The Impact Team, which left a message on the Ashley Madison website stating: "We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records, emails."

"Trevor [Stokes], ALM's CTO once said 'protection of personal information' was his biggest 'critical success factors' and 'would hate to see our systems hacked and/or the leak of personal information," the message continued.

"Well Trevor, welcome to your worst ... nightmare. We are the Impact Team. We have hacked them completely."

According to security researcher Brian Krebs, it is "unclear how much of the AshleyMadison (sic) user data has been posted online".

"For now, it appears the hackers have published a relatively small percentage of AshleyMadison (sic) user account data and are planning to publish more for each day the company stays online," he added.

Motive

The motivation for the attack seems to be twofold. On the one hand, the hackers seem to have targeted the firm because it allegedly failed to fully delete user data, despite charging for this service.

"Full Delete netted ALM $1.7mm (sic) in revenue in 2014. It's also a complete lie. Users amost always pay by credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information they want removed," the hackers stated.

On the other hand, there also seems to be a moral element, with Impact Team referring to EM as "a prostitution/human trafficking website" and Ashley Madison's male users as "cheating dirtbags [who] deserve no such discretion".

In a statement, ALM said it has "successfully removed all the posts related to this incident as well as Personally Identifiable Information (PII) about users published online".

"Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available," it added.

Culprits uncovered?

According to Brian Krebs, ALM's CEO, Noel Biderman declined to discuss the specifics of the investigation but told Krebs the incident "may have been the work of someone who at least one time had legitimate, inside access to the company's networks".

"We're on the doorstep of [confirming] who we believe is the culprit," Biderman told Krebs. "I've got their profile right here in front of me, all their work credentials. It was definitely a person here that was not an employee, but certainly had touched our technical services."

However, security researcher Graham Cluley told IT Pro: "It would certainly be surprising for any company which has been hacked to be able to assert with any confidence that it knew who had hacked its systems after such a short period of time."

"Even if a past contractor's login details had been used, that doesn't necissarily mean that it was that ex-contractor who accessed the system," he added.

Customer action

When it comes to potential ultimate victims, Ashley Madison's users, Cluley told IT Pro: "Clearly anyone who shared their details with Ashley Madison needs to be on their guard about unsolicited emails, and be aware that criminals might attempt to use the information for the purposes of fraud, embarrasment or blackmail."

Chris Boyd, malware intelligence analyst at Malwarebytes agreed, added: "With so many ways to exploit this data dump, from blackmail to trolling, it was always going to be a potential disaster waiting to happen - and with up to 37m people facing their information being laid bare, it's going to be quite a nervous start to the week for many."

The hack comes after 3.9 million users of adult hook-up site AdultFriendFinder had their details posted online, including their sexual orientations and sexual preferences, in an attack in May.

UPDATE: In response to the hack, Ashley Madison is now offering its full delete option free of charge.

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Microsoft and FireEye push for corporate breach reporting rules
data protection

Microsoft and FireEye push for corporate breach reporting rules

24 Feb 2021
Four tips for keeping your business secure during mass remote work
data protection

Four tips for keeping your business secure during mass remote work

19 Feb 2021
Kia Motors allegedly suffers a ransomware attack
data breaches

Kia Motors allegedly suffers a ransomware attack

18 Feb 2021
Donald Trump’s one-time law firm allegedly suffers data breach
data breaches

Donald Trump’s one-time law firm allegedly suffers data breach

17 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021