Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”
The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.
Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.
“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”
Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.
The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.
In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.
According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Their demands continue:
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterized as ongoing and fast-moving. But he did suggest that the incident may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks — perhaps a former employee or contractor.
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
As if to support this theory, the message left behind by the attackers gives something of a shout out to ALM’s director of security.
“Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”
Several of the leaked internal documents indicate ALM was hyper aware of the risks of a data breach. In a Microsoft Excel document that apparently served as a questionnaire for employees about challenges and risks facing the company, employees were asked “In what area would you hate to see something go wrong?”
Trevor Stokes, ALM’s chief technology officer, put his worst fears on the table: “Security,” he wrote. “I would hate to see our systems hacked and/or the leak of personal information.”
In the wake of the AdultFriendFinder breach, many wondered whether AshleyMadison would be next. As the Wall Street Journal noted in a May 2015 brief titled “Risky Business for AshleyMadison.com,” the company had voiced plans for an initial public offering in London later this year with the hope of raising as much as $200 million.
“Given the breach at AdultFriendFinder, investors will have to think of hack attacks as a risk factor,” the WSJ wrote. “And given its business’s reliance on confidentiality, prospective AshleyMadison investors should hope it has sufficiently, er, girded its loins.”
Update, 8:58 a.m. ET: ALM has released the following statement about this attack:
“We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”
“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”
“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”
“Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.”
“and said the company was “working diligently and feverishly” to take down ALM’s intellectual property.”
Maybe they should have been working diligently and feverishly to protect their systems in the first place.
Once the data is out there, there’s no taking it down.
Take it down means close the business. They are not going to close their business period. Users are just tools for them to make money. Their salvage their tools
For all you holier-than-thou types out there, I’m guessing that there are plenty of consenting adults in open/non-monogamous relationships out there who make use of AM (and sites like it) with the full knowledge and consent of their partners. Sure, AM is used by a lot of scumbags, but it’s naive and stupid to think that every. single. member deserves to be doxxed. I can’t help feeling like the ‘Impact Team’ is trying to impose its own rigid set of morals on the entire populace of the Internet. F you guys. I’m with Susan – take down a few kiddie porn websites, would you? That, at least, would be worthwhile.
@David- thank you. There’s at least one. Me. I also know that I’m not alone.
If that’s the case, you’ve got nothing to worry about since your partner already knows.
And what about her parents?
Is he hooking up with them too?
Individually, or as a group?
And your boss. And her boss. And all of your friends. And your grandma.
The trope promulgated by people like Google CEO Eric Schmidt that secrets for dirty people is self-serving horse manure. Google, Facebook, etc. *profit* by your life being an open book. They want you inured to the notion that not only is there no such thing as privacy, but that you don’t deserve it. But, the reality is that there are things that adults should be able to, morally, legally, and ethically, keep private.
Having an affair is not one of them.
Actually engaging in a discreet affair is a private,personal decision which is within the rights of a person to keep secret. 🙂
Google already knows what (almost) all of my sexual peccadillos are, as does the NSA. Methinks the entire concept of personal privacy and it’s corollaries, personal secrets, hidden desires, and the attendant deception of maintaining social relationships that are at odds with these, will be reexamined. We will just have to be less phony. I can’t be blackmailed if my pants are always down anyway.
And be careful what you wish for, Impact Team. Letting all the skeletons out of the closet does not mean they will go away, in fact they just may rise up and take over. When you wake up to how little impact your ‘moral’ system has had after thousands of years, your day may not go very well either.
Forget it. Google already knows all, and so does the NSA, and soon so will FaceBook. We’ll just have to be less phony and more honest.
Unfortunately for him Sarah and for others like him, while his partner may know, his co-workers, extended family, friends, etc may not know.
Not to mention complete strangers mining the data to target phishing attempts or banking fraud, potentially identity theft, etc.
Again, why worry if they aren’t doing anything wrong.
Can w assume you haven’t done anything wrong? OK… post your full name, address, and a credit card number here.
Because not everyone wants their parents, aunty, neighbours, boss, stalkers, identity-stealing-criminals and the mailman’s dog to know what they get up to in the bedroom with their spouse and a compliant third on the grounds that privacy is a basic human right, as lined out in the European Convention for Human Rights for one.
There are things that we do in our private life that we do not think are wrong, but they may not help in doing business. There are personal things about my beliefs that may not jive with my customers. It doesn’t mean that I think my beliefs are wrong, it is just that I don’t want that to be a deciding factor on whether or not I do business with customers.
People may be using this site with their partner’s consent; however, that doesn’t mean that their boss, coworkers, clients, etc. would approve.
The issue isn’t that his girlfriend or wife is going to find out. The issue is that his financial and personal information might be compromised.
His partner may know, but does that justify the public release of the information? Do you air your sexual habits/preferences/etc. to your neighbors, co-workers, boss, KIDS? Just because you and your partner are OK with what you’ve decided to do in your private life, does not excuse or validate or permit the pubic dissemination of this PRIVATE information.
The Register has a good headline today on this story:
“Ashley Madison hacked: Site for people who can’t be trusted can’t be trusted”
Whether consenting or not, they all deserve to be publicly shamed.
Please re-read what you posted.
I absolutely agree Karma!
@David… or, maybe someone in “Impact Team” was not happy with their own AM “affair”.
I don’t use AM or AFF but doesn’t it take two to tango? Why do the hackers mention “DB men” only?
I agree that there’s a morality judgement being made here, if not peeved spouses that are cheated on who are retaliating illegally.
2 wrongs don’t make a right, but the hackers seem to think so.
Well, then those non-scumbags have nothing to fear. The other 30 million, well….
Judgmental little bastards, aren’t they?
Also, a significant portion of Krebs commentors.
Unless you’ve been in another man’s shoes, don’t judge him. Period. Ever.
So, just because you have different circumstances makes CHEATING okay? You are pathetic and have zero sense of personal accountability and not a shred of honor. Scum.
Please at least release the names. Many of us are stuck in bad marriages and the only way to get out is to prove adultery. This will free so many people. Please release the customer names. Please.
Stuck in marriages? With no fault divorce the law in all 50 states, no one has to prove anything. If your unhappy, get a divorce. Just keep it fair and amicable especially if you have children together.
Given that the poster’s name is Jeff, a traditionally male name, the subtext to his post is that there are many male spouses who can’t get a divorce *for free.* I.e. if a man can prove his wife cheated, he won’t be obligated to pay spousal support after the divorce. Otherwise, yes, no-fault divorce is available to pretty much anyone. You just have to pay support.
There is nothing ACTUALLY holding you back from getting a divorce if that’s something you actually want. Instead of ensuring a whole mess of people’s lives are ruined, why don’t you be a man and end things on your own. Hell the accusation of adultery is enough to start some divorce proceedings. Grow a pair
Have you also considered that not all “users” are married?
translation: they are not talking the website down. Let the hackers release them all.
Well…….this should keep divorce lawyers (the real winners in all of this) busy for a good number of years…..
Not only men are cheaters so are women. Plenty of wives on there cheating on their hubbies. I hope the site closes for good.
How is this right to release these peoples personal info? I thought it was punishment for the site lying about really protecting customer information? Which once you think about it is pretty skivvy. I mean why would I pay 19 bucks for info that should be protected anyway? Sorry,I digress, these people are adults hooking up with other adults.What gives these Impact folks the right to be their moral compass? If this is about morality then let God sort them out. It’s still violating a commandment. God is not gonna qualify which violation was worse. If they want to punish the company than punish them.not the people their customers.
Oh there’s going to be a few executives with soiled underwear this morning.
Where is the list of names ??
There’s actually a decent percentage of singles on this site. Even though it advertises itself as promoting affairs, a lot of people use it just as an ordinary dating site.
Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha. Cough,cough. Hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha.
You all are missing the point. Hacking is what it is. Matters not who gets hacked, Some of you have likely been hacked but dont know it. If some big fella publicly states ” I would hate to be hacked”. He will be targeted.
This is why end to end encryption is important, where only the users have the private key. Seems like the provider did not know how to build proper architecture for this type of infrastructure.
Yes, the AM Chief Security Officer deserves some blame – also, maybe their entire organization for lying about their data use and storage practices. And you are right, seems their site communciations were never properly encrypted. Probably to save $. And of course the users deserve blame, for trusting a website site with such information. I’m thinking the good ol fashioned ways of cheating will be coming back – meeting a person in a pickup bar or with your co-worker or boss. Seems safer than online advertisements for affairs..
It’s also why the government is fighting tooth and nail to prevent end-to-end encryption. The scariest thing to the NSA is an actual functioning democracy where a normal person and not one of their stooges were able to get elected. How’re they gonna blackmail potential candidates if they can’t read everyone’s mail?
Put the names out there for everyone to see!
Correlate this list with the people in the OPM hack and you’ll have a nice list for blackmail/ exploitation.
Good for these hackers. A website that serves for promoting affairs. This is scum. Want to have an affair, go do it. To make money simply from assisting and encouraging….. Hope you go to hell.
Right there with you, Natalie. I’m very open minded, and not a prude at all, but I hate how AM advertises affairs like no big deal. And then they ramsom their own users to delete their account and actually never do it. Talk about shady business people. I’m happy and hope they go out of business.
If this is an inside job, it only underlines that the best security and deepest encryption in the world can be uncorked by a single Edward Snowden. I would like to hear Mr. Krebs analysis on what can / or is being done to secure against that weakest security link, the human link.
“What you do on the internet is forever and open to all”, is what I advise newbs on my forums. We are truly at the end of the age of secrets the moment we step online.
The human element will always be a factor.
cyber-terrorism? Really? crime, maybe, but terrorism? Please!
+1, When I read cyber-terrorism I thought of a game where we add cyber to the front of everything.
… and you may be sure that your sin will find you out. (Number 32:23). If there is turmoil over this small website right now, imagine the panic that there will be in the day of the Great White Throne judgment!! Only Jesus can save us from our sins.
Jesus hung around with a whore. That’s good enough for me.
Lol @ your silly mythology.
Hey Brian – I heard you speaking on NPR this morning about this. It’s cool hearing your voice and knowing your site is getting more viewers.
And this is why you should use a fake identity if you use this site…
“We were recently made aware of an attempt by an unauthorized party to gain access to our systems.”
The phrasing of this PR blurb using the word ATTEMPT implies the ‘unauthorized party’ was unsuccessful.
Of course, we all know it was a success!
Justice has been served!
Justice would have been exposing the businesses dishonest practices to the public. Stealing customers personal/banking info no matter how you view those customers lifestyles still makes you a thief and just as bad as the company you outed, so no justice hasn’t been served.
Anybody outed should be ‘lawyering up’. Ashley took your money to get you dates, and to be discrete. They took the money part more seriously than the discrete part. Sounds like they were using early windows era encryption. That’s what happens when you’re into ‘love’ and ‘service’ more than into the internet.
It’s the husbands that should be laywering up… to divorce their cheating whore wives.
And may every single cheating whore be outed to her husband!
I can’t stop laughing over the idea of hackers with a moral adgenda. Is this the next evolution of Christian fundamentalist militia groups?
More like lefties for vengeance, hypocrisy and double standards.
Personally instead of hacking dating sites I wish they’d hack into the accounts of people like our scumbag contractor Steve Zomerfeld III. Tell us where our money was spent once Steve took off with it. Or the do nothing local yokel police chief. WISHFUL DREAMING that someday someone will care that we were ripped off and still have NO HOME. Check Steve Zomerfeld on YOUTUBE. Or sadly on gofundme-Framing our future Building Forward.
You idiots seem to be missing the point. ALM’s slogan is “have an affair”. So don’t give me that “consenting adults and partners who know what’s going on and agree to it” crap. This site caters to scumbag cheaters. I applaud the impact team.
So basically as long as I can dig up some dishonest or scummy dirt on you from your past you don’t have any issues with me robbing you and plastering all your personal info across social media outlets so long as I say it’s for morality reasons? I’ll be right over.