Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Last month, KrebsOnSecurity posted an exclusive story about emails leaked from AshleyMadison that suggested the company’s former chief technology officer Raja Bhatia hacked into a rival firm in 2012. Now, an attorney for the former executive is threatening a libel lawsuit against this author unless the story is retracted.
According to Bhatia’s attorney, the part of the story they consider defamatory has to do with the headline of the piece, and this bit:
“A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.
At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Libel lawsuits in the United States are usually quite difficult and expensive for the plaintiff to win. But in Canada — where Bhatia’s attorney and AshleyMadison’s parent company Avid Life Media are headquartered — the libel laws are more complex for defendants. For example, according my consultation with a prominent Canadian digital media attorney, the onus there is on the accused to prove the disputed libelous claims are in fact true.
Nevertheless, I have no intention of posting a retraction or correcting any elements of this story. But I’m publishing a copy of the letter (PDF) from Bhatia’s lawyer in the likely event that other publications have also received libel and defamation threats from AshleyMadison and/or its current and former employees.
Tags: Ashley Madison hack, AshleyMadison hack, Avid Life Media, Raja Bhatia
It’s not libelous to report facts.
The content of Bhatia’s email originated with Bhatia, unless its a forgery.
I’d say, stay out of Canada and you should be ok.
In the attached PDF, it does not appear that the attorney ever claims the email thread was a forgery. On the contrary, I get the impression from the attorney’s letter that the emails are in fact real and they point out that some of the email was omitted.
If the emails were forged, that would be the first thing they claimed.
I’d say Bhatia had better stay out of the USA. A Canadian national hacking a US-based business is an international cybercrime. If those discovered facts can be substantiated to the point of legal soundness then Bhatia could face criminal prosecution from DHS. Bhatia’s threat against Brian could be become another grand example of the “Streisand Effect.”
We have a question of fact here, don’t we? Naymark says “Mr. Bhatia ceased to work at Avid Life in 2009.” You say “On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss …”
Those two assertions are in conflict, right?
He’s identified as a former AshleyMadison employee in the story. Also, one can be the founding CTO and still not work at the company anymore. In any case Bhatia by his own admission in my stories was working as a contractor for AshleyMadison when this story was written.
If he didn’t work at the company any more, he wasn’t sending a message to “his boss.” But (in my non-expert opinion) working as a contractor probably covers you.
“I got their entire user base” and ” I can change a non-paying customer into a paying customer” sounds like an admission of theft.
A civilized person would have stopped at “I found they built a lousy platform”.
Letter claims that Bhatia was not employed by AvidLife or Ashley-Madison when the letter was sent. Is that accurate?
Otherwise…did not “bulk exfiltrate”? Yeah, because it’s not hacking if you only exfiltrate a few records, right?
And of course he had to have exfiltrated *some* data to know what he’d found and that the hole was legit. Said exfiltration absolutely *is* hacking. A lawyer could try to claim it’s not black-hat, but Krebs description of it as hacking is 100% accurate.
I’m pretty sure that Krebs, seasoned journalist that he is, is very careful about what he puts in print, and how he characterizes it. To me, this is simply a legal ploy to try and scare our Krebs off. Good luck with that! Eh, you hosers, eh?
One assumes that Bhatia has never heard of the “Streisand Effect”
I don’t think Brian should retract the story. This probably helps Brian because now he can have more fuel and adrenaline to continue the fight for the truth. It is just the character of anyone associated with Ashley madison to follow it’s culture of lying and continuing to lie to sustain those original lies, just like the flow of the site itself.
Unfortunately, it is often the case that the winning side in a libel action is the one that can throw the most money at it.
Interesting development, Brian. Please keep your reader/community informed about new developments, as I doubt it will appreciate ham-handed attempts to silence you.
On the merits, I’d love to know what Nerve.com has to say about all this, and what it is planning to do. Github also might have data and meta data that could clarify what happened. Nerve might want to issue a record preservation letter to Github. It would also be interesting to know if Bhatia’s counsel has already asked Github to preserve records — NOT asking would speak volumes about Bhatia’s motivation.
I’ve helped bloggers threatened by this company before, with success. I help threatened bloggers in general. Feel free to reach out.
Ken White
Popehat.com
God I can’t stand lawyers. They are right there with bartenders, jizz moppers and child molesters on the social scale. They’re worse than 9/11. I hope you can somehow counter this and stick it up the lawyers briefs until paper flies out of his mouth. Godspeed Young Krebs.
Brian, looks to me like you don’t have to prove anything he did, just what was emailed. And that should be simple, no?
Good luck, and stick to your principles!
I sent this article along to Ken over at my other favorite blog Popehat. Hopefully he gets in touch, this is right up his alley.
Exploiting a “a readily apparent security gap” or “readily apparent inadequacy in the site’s security” sure sounds like hacking to me.
The letter claims he was not working for AM. Acting as a contractor would appear to count as working for them. In either event, you clearly identify him as “a former company executive” the first time you mention him. Hard to see how a reader could be mislead about his status withe the company.
One problem with suing is the so-called Streisand Effect – the law suit just brings more attention to the issue.