Ashley Madison, a website that describes itself as "the world's leading extra-marital dating site" has suffered a massive data breach, which has allegedly compromised the details of all 37 million of the site's users.
The site, which in January claimed to have seen "a membership spike 621 per cent higher than the UK daily average of new sign-ups", is owned by Avid Life Media (ALM), which also owns hook-up sites Established Men (EM) and Cougar Life.
The hack has been claimed by a group called The Impact Team, which left a message on the Ashley Madison website stating: "We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records, emails."
"Trevor [Stokes], ALM's CTO once said 'protection of personal information' was his biggest 'critical success factors' and 'would hate to see our systems hacked and/or the leak of personal information," the message continued.
"Well Trevor, welcome to your worst ... nightmare. We are the Impact Team. We have hacked them completely."
According to security researcher Brian Krebs, it is "unclear how much of the AshleyMadison (sic) user data has been posted online".
"For now, it appears the hackers have published a relatively small percentage of AshleyMadison (sic) user account data and are planning to publish more for each day the company stays online," he added.
Motive
The motivation for the attack seems to be twofold. On the one hand, the hackers seem to have targeted the firm because it allegedly failed to fully delete user data, despite charging for this service.
"Full Delete netted ALM $1.7mm (sic) in revenue in 2014. It's also a complete lie. Users amost always pay by credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information they want removed," the hackers stated.
On the other hand, there also seems to be a moral element, with Impact Team referring to EM as "a prostitution/human trafficking website" and Ashley Madison's male users as "cheating dirtbags [who] deserve no such discretion".
In a statement, ALM said it has "successfully removed all the posts related to this incident as well as Personally Identifiable Information (PII) about users published online".
"Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available," it added.
Culprits uncovered?
According to Brian Krebs, ALM's CEO, Noel Biderman declined to discuss the specifics of the investigation but told Krebs the incident "may have been the work of someone who at least one time had legitimate, inside access to the company's networks".
"We're on the doorstep of [confirming] who we believe is the culprit," Biderman told Krebs. "I've got their profile right here in front of me, all their work credentials. It was definitely a person here that was not an employee, but certainly had touched our technical services."
However, security researcher Graham Cluley told IT Pro: "It would certainly be surprising for any company which has been hacked to be able to assert with any confidence that it knew who had hacked its systems after such a short period of time."
"Even if a past contractor's login details had been used, that doesn't necissarily mean that it was that ex-contractor who accessed the system," he added.
Customer action
When it comes to potential ultimate victims, Ashley Madison's users, Cluley told IT Pro: "Clearly anyone who shared their details with Ashley Madison needs to be on their guard about unsolicited emails, and be aware that criminals might attempt to use the information for the purposes of fraud, embarrasment or blackmail."
Chris Boyd, malware intelligence analyst at Malwarebytes agreed, added: "With so many ways to exploit this data dump, from blackmail to trolling, it was always going to be a potential disaster waiting to happen - and with up to 37m people facing their information being laid bare, it's going to be quite a nervous start to the week for many."
The hack comes after 3.9 million users of adult hook-up site AdultFriendFinder had their details posted online, including their sexual orientations and sexual preferences, in an attack in May.
UPDATE: In response to the hack, Ashley Madison is now offering its full delete option free of charge.
