July 19, 2015

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”

ashleymadison

The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.

The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

A snippet of the message left behind by the Impact Team.

A snippet of the message left behind by the Impact Team.

It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterized as ongoing and fast-moving. But he did suggest that the incident may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks — perhaps a former employee or contractor.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

As if to support this theory, the message left behind by the attackers gives something of a shout out to ALM’s director of security.

“Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”

Several of the leaked internal documents indicate ALM was hyper aware of the risks of a data breach. In a Microsoft Excel document that apparently served as a questionnaire for employees about challenges and risks facing the company, employees were asked “In what area would you hate to see something go wrong?”

Trevor Stokes, ALM’s chief technology officer, put his worst fears on the table: “Security,” he wrote. “I would hate to see our systems hacked and/or the leak of personal information.”

In the wake of the AdultFriendFinder breach, many wondered whether AshleyMadison would be next. As the Wall Street Journal noted in a May 2015 brief titled “Risky Business for AshleyMadison.com,” the company had voiced plans for an initial public offering in London later this year with the hope of raising as much as $200 million.

“Given the breach at AdultFriendFinder, investors will have to think of hack attacks as a risk factor,” the WSJ wrote. “And given its business’s reliance on confidentiality, prospective AshleyMadison investors should hope it has sufficiently, er, girded its loins.”

Update, 8:58 a.m. ET: ALM has released the following statement about this attack:

“We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”

“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”

“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”

“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”

“Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.”


798 thoughts on “Online Cheating Site AshleyMadison Hacked

  1. Wardog

    Honestly we are all fooling ourselves if we think our info is secure. I have been around the Internet for more than 25 years. We like to go to a website and think we are secure… Wrong answer obviously. Second: If your on a site to cheat on your wives or husband you get what you deserve. Third: Morals well at least roughly 40 million people don’t have them.

    1. TAM3E06

      Your and you’re. Learn the difference and learn how to use them correctly.

        1. Freddy needs a spelling lesson

          Off course it does.

        2. Mario

          Just a little beat …

          don’t you think? 🙂

      1. John Martinez

        “Your and You’re.” is not a sentence.

      2. CooloutAC

        I always laugh at these online grammar nazi’s, Because I imagine people doing that in a real life conversation…

        1. Soy Tenley

          I did notsee that coming.
          They are called puns.

    2. BS

      You and hackers seem moralists, but I’m pretty sure there’s more cheating on FB, messengers, or others social networks not dedicated to cheating.
      And don’t say it’s a matter of time for next sites, or you, with your “25 years of internet” will have your day too… cheating or not cheating 🙂

  2. Meza

    LOL I had to post this comment from Reddit.
    “Finally, after paying years of membership fees, and not getting one response…
    I’m finally getting Fucked!!!”

  3. Justin

    Ha Ha!! BURN baby BURN!! This company is done for! LMAO

  4. Robert.Walter

    “Life is short. Have an affair. Be dumb. Play with fire. Be busted. Get divorced. Be broke. Wonder if it was worth it.”

    TFIFY

    P.S. I do agree with the ALM CEO that the perps should be prosecuted.

    1. stine

      You don’t have to have had an affair, I didn’t, in order to get divorced and become broke.

      Also, are you suggesting that all CEOs go to jail when their user database gets hacked? Or only sites that you don’t like?

      1. Bobby Burgers

        Woah, you didn’t get the comment you’re replying to on many levels.

      2. markD

        Now that you mention it, bringing up a non-sequitur hypothetical so extreme that you aren’t even serious and wasting your own time as well as anyone else’s (because it is so obviously not what the person meant and you really couldn’t think of a good reason to type a comment), yes, all CEOs should go to jail.

      3. Dom

        He was referring to the CEO of Avid Life Media’s calls for the people who hacked his servers, stole his customer’s private information and who are now using the stolen information to extort the company into shutting down, to be arrested and tried for cyberterrorism. Which when you’re threatening to expose both the financial and personal of 3rd parties who had nothing to do with this, then you’re worse than the people who leaked the celebrity nudes last year, because this affects millions of people, not like 5.

  5. Phil

    As far as I can see the $19 service was not a scam, just incompetently implemented. They did delete the user data but they retained billing info relating to the payment of that charge, thus proving somebody paid to have their data deleted. Looks like they just didn’t think through the meaning of full erase.

    1. Rob

      How do you know all they held onto was the billing info and it was merely a poor implementation? Either you work for AM or your are making an assumption.

      Let’s pretend you work for AM and are correct, if a customer wanted their record wiped from the DB entirely, which is what they paid for, then why internalize the transaction record? It defeats the whole purpose of the fee and hence is a scam. You could argue that the company is lazy and needed to use their existing support infrastructure to handle inquiries about that billing on statements, which I highly doubt many of them are calling because they forgot they paid for it.

      But for those that did their should have been someone with access to the merchant account for those 19 dollar transactions to look it up there. Why else would someone pay a fee to have all their data fully deleted because not doing so wouldn’t involve any more labor than an automated query to wipe them from the DB.

      They should have at most been storing a username and the transaction id if anything for the rare need to look up inquiries. No reason to store the card info for a one time transaction.

      Bottom line I’m sure customers had the expectation there would be no trace that they ever had dealing with AM and AM knew that wouldn’t be true, even if at least by keeping record of the deletion service payment. That would be a scam imho because I’m sure if that was made clear to customers many would not have paid the fee. They paid expecting to be protected from such a leak by paying the fee only to find out that they weren’t – and a best case scenario being perhaps the amount of information on them being reduced, but their relationship with the site was still retained which is bad enough.

      I have no horse in this race since I’m not a member. But it kind of funny that people still put info they don’t want people to know in the hands of websites and not expect it to go public at some point. If you don’t want the world to know about something don’t say it or do it online. Eventually many things thought to be private will come out at some point either do to the insecurity of the users device or the platform itself.

      1. Jorge_C

        A sample of the data was released, I assume it must of included users who paid for this erasure service.

      2. Phil

        Don’t work for AM but my interpretation is strongly inferred from the below passage in the article, including a direct quote by the group. Basically the group has said that “their purchase details are not removed as promised”. Would expect the statement to mention other more sensitive data if that were not deleted as promised. Summary: piss poor implementation (and therefore probably breach of contract) but hardly a scam (intentional defrauding).

        Quote:
        According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

        “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

      3. Phil

        Don’t work for AM but the below quotes from the article, including the statement from the group, strongly support the conclusion that they did at least try to delete the user data but kept “purchase details”. If the Full Delete retained anything more than these details then that would have been highlighted in the Impact Team statement. Basically: most likely half-arsed implementation (maybe even breach of contract) but unlikely a scam (intentional defrauding).

        Quote:
        According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

        “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

      4. mz

        The greed is what got them here. All they had to do was erase data for everyone and keep only the info that you said.Everybody is moralising on the cheating aspect.My thing is customer data should be protected at all costs. If a company says they are providing a service then that’s what they should be doing.

        1. Phil

          Totally agree, they have clearly failed to protect customer privacy and that is made much, much worse by the fact that they charge for a service that should be provided for free. The fee seems little more than a ransom charged to people who are scared of being found out.

      5. Dom

        There are legal requirements for companies to keep customer data for set amounts of time and the record of payment for any service needs to be kept along with at least some identifying information to comply with international anti-money laundering laws. Sure keeping them on an online server isn’t necessary but it’s cheaper. If you’re a business who throws out payment records on the request of a customer you may find yourself in trouble with the IRS or INTERPOL.

  6. Homunculus

    I don’t agree with this hack at all. If you wan to hit these sites, then sue them for facilitating the destruction of your marriage. It’s called “alienation of affection” and it’s a very real thing.

    1. RBBrittain

      Most states have abolished alienation of affection as essentially implying a man “owns” his wife; at common law it was only available if the woman cheated, NOT the man. (IIRC only Mississippi allows a cheating husband to be sued.)

    2. Pearly

      Either way works as long as AM goes to hell, ALM with it. Speaking for all the children of families broken by adultery.

      1. J

        Yes, adultery is bad for families. I am not sure what the website has to do with it? I didn’t see this website and think, “Oh, I think I will cheat now that this website is available”. Don’t use the website as a smokescreen for people who make these decisions.

        1. C

          Web sites don’t cause people to cheat. People cause it themselves.

      2. nooneyouknow

        My, my, you holy rollers certainly do judge a lot for someone that follows a mythology which states “Judge not, lest ye be judged”.

  7. gigimt

    Would love to go through User data…would be interesting to see if I know any of people that registered on the website…is there data sample anywhere on the web?

    1. markD

      Yeah? You sure you want to know? What if it’s your wife (dad, mom, girlfriend, priest, best friend’s mom, priest)?

  8. Tom

    My money is on a disgruntled insider. Someone probably was getting screwed on what they were owed, or thought they were owed or stock options or something with the IPO. Timing with the ipo makes me think someone thought they were getting a raw deal. If their opsec was bad enough to let an outsider get all of this knowing what a target this data would be and after seeing it happen to AFF then this is kind of digital natural selection at work.

  9. Xx

    How couldn’t have AM expected this after the recent AFF hack. Incompetence is an understatement. /facepalm

  10. PresComm

    Well, fantastic.

    I actually have a fake profile on many popular adult/gambling/download portal/etc. websites that are tied to a fake e-mail address… and that includes Ashley Madison. I will keep a close eye on that inbox to see if I get anything juicy like phishing attempts or the like.

  11. Susan

    I would be more impressed if these folks would target kiddie porn websites – take those down and turn the info over.

  12. Dan

    That’s what I’d call a worthy hacking. Serves any scumbag right that belongs to that site.

  13. Junito

    Who goes to a dating site, post real name and actual pictures of themselves. If you get busted or info stolen, then you deserve it.

    1. Anon

      What sort of person goes on a dating site where real pictures are expected, and thinks “you know, I think I should leave my real appearance as a surprise!”?

      Because nothing says romance like you turning up in person and having a completely different appearance to the one you advertised. And being really super-secretive about your identity would never ever raise massive red-flags to a complete stranger meeting you alone for the first time…

      As for real names – that’s culled from the payment system., not being plastered to the whole world.

      Some personal details will be sucked from chat-logs; but then I’m guessing you refer to friends and acquaintances by their real names in IMs on occasion, unless you’re super-paranoid.

  14. Martin

    I’m wondering why this group is targeting this website? What motive would they have to want to see it taken down? If that’s even the goal in the first place. Most people wouldn’t care if they took it offline or not. Just to post everyones dirty laundry seems like it would be the ideal regardless. There are going to be a lot of suspicious spouses checking into this once it hits. And I think it will be leaked even if they do go out of business. I seriously doubt a sleezy company like this will give a rip about their clients info anyway. All I say is that they ought to feature a search option for names once this goes public.

    1. Chriz

      Oh yeah, I can’t imagine how many private investigators would love to have this list.

  15. chuck fonta

    I tell my “Introduction To PCs” students:
    Don’t put any thing on the internet that you wouldn’t put on a bill board on Rt 128!
    BTW, Rt 128 is a major commuter highway which goes around Boston. Remember: clouds don’t have skins, wither they are in the sky or on some internet server.

  16. goyscript wpa2

    hacked team, the deal of dark knigths

  17. J

    Wow, lots of morality and legal issues here. I don’t care if people cheat. Whatever. I don’t really care about hackers, although it is illegal. I am sure there is a possibility of human trafficking involved with these websites. Directly? Indirectly is more likely. I hope the hackers are doing this because of the human trafficking possibility? If they are doing to show people cheat, that is a whole lot of “I don’t care”.

  18. Brian Dane

    There is a reason Banks and Credit Cards offer zero liability to their customers, this kind of things happen all the time, This however is Karma at work Cheaters.

  19. gary

    Where is the offer for free credit monitoring?

    1. Robert.Walter

      At least they didn’t utter the obligatory “your security is our utmost priority”. I have to say that I’m also impressed by the frankness and honesty in confirming the breach and their failure to prevent it; more circumspect companies could take a lesson in using similar straight talk.

  20. Chip Douglas

    Gee Wally, why didn’t these people just go to a darkly lit bar some place.

  21. Mahhn

    LOL, HA HA HA HA HA HA.
    Fricking AWESOME.
    This is a great year, Hackers get hacked, Cheaters get cheated.
    How to top this off? 5 months to go, hope we get more like this.
    Maybe the NSA or it’s overseer’s getting busted for insider trading with spy data, or a pesticide company document acknowledging they cause neurological disorders in children and CEOs hid it for financial gain. Just guessing.
    Information just wants to be freeeeeee.

  22. Steve

    I agree with Aumsed, morality aside whether this website was selling bananas or widgets or was and supporting the Red Cross it was hacked. Data was stolen, a company’s business was impacted and damage was done all for greed; and to gloat look how good I am. What next lets hack America defence and fire off a few nukes so we can brag about it down the pub; it scares the berjebus out of me

  23. Dave

    Good thing I never gave them a credit card or filled out that profile. They’re going to find my info pretty boring.

  24. Larry

    Credit card and other financial transactions probably have to be kept for 7 years for tax audit purposes.

    1. Charles McGuinness

      A stack of paper receipts which are shredded at the end of their retention period work well for that, and cannot be downloaded over the net…

  25. john dee

    I joined the site and am totally single. As for all the “cheaters”, the only ones being cheated are them. The site, like most of them, is a scam. Also, like most of them, the site is based outside the country, places like Canada, Cypress, or Antigua, so that it’s tougher to legally get at them. Unfortunately for them, hackers don’t have boundaries. The site posts fake, stolen profile pictures of so-called members, mostly from porn sites, along with a fake phone number and email address, and then they charge you to contact them. After that, you either get a 3 word, computer generated response, like “Hey what’s up?”, or a computer board operator contacts you, posing as one of the fake profile pictures, but nothing ever happens. Contacted over 120 people and never encountered a real person. Nothing but robot accounts. How many people will go to the police to admit to being ripped off by a hooker, but then, later on when they see that she was arrested for loitering, they say “It’s about time someone does something”. Exactly. This is is about the same thing, so all you clowns can rest easy. None of your holy marriages are being bothered, and everyones’ getting what they deserve.

  26. Tommy

    And so it goes, next week zombie apocalypse.

  27. DJGANDO

    Susan,

    The reason you don’t hear about these miscreants taking down kiddie porn sites is that they are the same ones who probably host them. If you read Krebs Spam Nation, you will learn a lot about these guys.

    Shout out to Brian. 🙂

  28. Lenny

    I just went to the AM website and there is no mention of the breech. Pretty bad when they don’t notify users that their personal info is compromised.

    They have banners touting their security awards, SSL, padlock, 100% discreet service.

    Cheaters suck. Quit being a coward and leave.

  29. Knightfall

    I am sensing a lot of comments as well as the hackers are targeting the cheating men specifically…now, I am not a member of this site, but aren’t there cheating women as well (in order to make this work I mean)? Are we not appalled by them and wish to see them get what they deserve as well – all the fire and brimstone stuff…?

Comments are closed.