Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”
The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.
Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.
“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”
Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.
The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.
In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.
According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Their demands continue:
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
A snippet of the message left behind by the Impact Team.
It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterized as ongoing and fast-moving. But he did suggest that the incident may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks — perhaps a former employee or contractor.
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
As if to support this theory, the message left behind by the attackers gives something of a shout out to ALM’s director of security.
“Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”
Several of the leaked internal documents indicate ALM was hyper aware of the risks of a data breach. In a Microsoft Excel document that apparently served as a questionnaire for employees about challenges and risks facing the company, employees were asked “In what area would you hate to see something go wrong?”
Trevor Stokes, ALM’s chief technology officer, put his worst fears on the table: “Security,” he wrote. “I would hate to see our systems hacked and/or the leak of personal information.”
In the wake of the AdultFriendFinder breach, many wondered whether AshleyMadison would be next. As the Wall Street Journal noted in a May 2015 brief titled “Risky Business for AshleyMadison.com,” the company had voiced plans for an initial public offering in London later this year with the hope of raising as much as $200 million.
“Given the breach at AdultFriendFinder, investors will have to think of hack attacks as a risk factor,” the WSJ wrote. “And given its business’s reliance on confidentiality, prospective AshleyMadison investors should hope it has sufficiently, er, girded its loins.”
Update, 8:58 a.m. ET: ALM has released the following statement about this attack:
“We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”
“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”
“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”
“Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.”
If you are on the site, cheater or not, you deserved what you get for being on a site that promotes unhealthy relationships between two individuals and in society as a whole. Don’t love the spouse. Divorce him or her and move on to someone who might love you or him or her. I would say you both deserve to be in a loving relationship, but at this point if you are on this website, you really just need to come clean before it gets worse. Single. Looking for sex? Look at the STD stats then thinking about the next hook up.
Experian sells PII of 200M people to bad guys around the globe and nobody cares. AM gets hacked and everyone cares. This is a bizarro world. 39m records….that’s a big file. Do people think they are going to post some 3GB access database for everyone to search? Excel can’t handle that data. Do your spouses routinely search pastebin etc for your names? Hey everyone keep whistling past the graveyard while your social security # and other PII is sold for pennies because you want to throw stones from your glass house.
Can’t say I feel bad for these people who get their names released. Not so much because they had sex with someone other than their spouse, but because they weren’t honest with their spouse about wanting to expand their relationship beyond the bounds of monogamy. It is just like Bill Clinton in 1998… it isn’t so much the act that is offensive, but the lying about it.
Uh, what makes you think Ashley Madison users were dishonest with spouses? Even if your spouse knows, a site like AM can be useful in finding other adults interested in a fling with no pretense of more.
Are you retarded?
Is that a rhetorical question?
You are definitely man. Always the typical male response when caught because you want to have your cake and eat it.
Divorce your spouse if you don’t find them physically attractive anymore. The thing is men are very lazy and don’t have the balls to be honest about their unhappy marriages and relationships and do the decent thing to tell their partners and start all over again.
Instead they cheat on their wives and partners with younger trophy looking women they will never marry.
I’m afraid most men in power are pathetic and they have a sense of entitlement because they earn a large proportion of the family money.
Good ob=n the hackers This web site encourages affairs which is really wrong. If the couples are unhappy try to work out a solution or separate if you cant not go behind the spouses back. This is so unfair and impacts the whole family and leads to a destruction of everything and family;s life
The case could also be made that affairs enable some to remain in marriages. I am not a member but the sight of people rubbing their hands about the imminent public stoning of the presumed guilty (who may be merely the formerly or still currently unhappy) is sufficiently odious that I could imagine people joining to protest this moral vigilantism.
However, it’s clear that the company sought to profit from users’ anxiety by, in effect, blackmailing them. For this they deserve to be shut down. No doubt their terms and conditions provide immunity against this kind of incident in terms of being sued for disclosure. And that should provide all the reassurance people need that they should not engage with this company. Were I member I would threaten to sue unless the company immediately promised to rescind that policy and then act accordingly and purge old data.
Its just funny to see that many people humiliated. Only secure way to communicate is analog my friends, for sex or otherwise.
Big deal… help yourself… Everybody is screwed… not much is really sacred so let them go on and hack some more… might as well hack into same sex marriage… smh…
Sounds like ALM is bluffing, hoping to scare the person who did the hack into not releasing anything in the off chance a insider had some role in the attack. If they really knew who did it, which means they had proof then they wouldn’t be posting that they know who did it. They would be passing the proof and info along to LE and they would have already kicked in the door and we would already be reading the headline that the guy was busted and all the info was secure and the leak was adverted. If you really knew who was behind it you wouldn’t give the guy a heads up so he had a chance to release it before they could secure his devices. They want this guy to think that they’re onto him and he needs to lay low and destroy the data.
ALM probably thinks it was an insider and initially I thought it was likely also. But now I think an APT is more likely due to the knowledge the guy seems to have based on amount of info they gathered. It seems more complex than simply gaining access to their DB and dumping it. It sounds like they infiltrated the whole infrastructure and many servers and personal computers. Typically the web server, db, repos, docs, email, etc will be spread among many servers in an organization of this size.
They probably had poor opsec and it will turn out it was a relatively simple hack that got them through the front door and instead of having to get through many more doors there was only one.
I still have seen ZERO evidence that this hack is real though. Outlets are reporting that 40MB was released but they don’t know that themselves because they haven’t seen it either. There are no DCMAs on Google for the initial leak I can find.
Assuming it is legit I’m thinking the guy behind this might be getting cold feet and not too secure about his ability to hide or he would have reposted it to other places or uploaded to torrent or i2p.
His first go around at leaking the info was a total fail if he really did leak anything. We will see in another several hours if he is legit or a hoaxer because another supposed dump should be due to break. I wonder if he’ll screw that one up also or if he will actually mirror to several places and put it on p2p.
I’m not sure what the point of dragging it out though is. AM is not going to be taken down. The only reason they may have considered doing that is because of the liability from the full delete service but they would have already taken it down by now.
I’ve got my popcorn. Can’t believe people are still dumb enough to do dirt on the web and be shocked when it comes out. Everything you do or say online has a chance of becoming public domain.
OK – so you all want to blame the “cheaters” and you all think you know everything? Well, take someone who has been diagnosed with an illness, been a roommate to spouse for the past 20 years because of very good reasons (that would do some damage if published), has talked and talked but to no avail; same situation — divorce would cost megabucks, kids involved and didn’t want to live to the end of days suffering being unhappy. LIFE IS TOO SHORT!! Get it?
What would you do??? If for once in your life, you got the courage enough to get on a site to find someone you can get to know and experience feelings with, just so you won’t die feeling so unloved? It’s risky but it’s brought me so much happiness and new found friend for life.
Wow, you’ve really twisted this around so that it’s okay and you’re the hero. Nice work. You should become a lawyer.
So that still justifies cheating huh? Sure it’s your life, but you also have kids involved according to your information. I bet they know nothing. I’m sure they feel it is surely ‘validated’.
Oh puhleez. I’m a lawyer. He makes us look like angels.
Yet another cheating spouse seeking to justify dishonest behavior. If you and your spouse can’t work out an amicable arrangement to open your marriage so that everyone can get their needs met, end the relationship honorably and go your separate ways. Yep, divorce is expensive and awkward, but you can’t have your cake and eat it too. You have no sympathy from me, dirtbag.
You have kids, and you have cheated. You should have taken you kids ( & spouse ) into consideration before cheating. You should be named and shamed you dumb as$! I hope this information is made public.
Why get married in the first place. That was your own mistake for making that commitment. Be a man, or woman and end the relationship before moving on to someone else. Through sickness and in health, ’til death do us part. You are a coward and deserve to die unhappy.
If you’ve REALLY talked it out with your wife and couldn’t come to an agreement re: seeing other people, what have you done for her to resent you so much that she’ll force you to stay celibate in an unhappy marriage? Even if you’re not in love with your partner anymore, you still owe them common decency and respect. While she shouldn’t keep you from seeing other people if you both feel like your marriage has run its course, you have no excuse for cheating. None. You chose to get married and have children with this person; if you want to go look elsewhere, either agree on the terms, or get a divorce. Right now you’re just making it sound like you don’t have the balls to leave your wife because you’re too cheap to pay for child support. Shame on you.
Don’t judge the crime by the victim.
If you can justify another citizens illegal breach of private information, then you consent to your own breach as well.
Many criminals target the lowest/weakest of our society ( aka low hanging fruit ) to justify their wrongdoings, serial killers do this as well.
I work in a legal online business where what I make is stolen daily and distributed for free by “consumers”, who then rate my work 5 stars, with tens of thousands of views. After 15 years in business with near perfect credit I just completed my bankruptcy.
On second thought, I think you’re all going to get what you deserve. You think you’re anonymous. You think you’re protected. You think you can consume for free what you know is stolen. Here’s your price. The people who steal from me, are coming after you.
I wonder if my dummy account created with completely fake information will be in whatever dump eventually gets posted?
I have nobody to cheat on, nor did I help anyone else cheat, so don’t go preaching to me. I just created it to look around and see what the moral brigade was getting all hot and bothered about…
It would be interesting to know the average age of the people commenting on this forum and there marital/ parenting status…….the moral authority here is kind of sad.
“all parties responsible for this act of cyber–terrorism will be held responsible.”
Must be like getting “counter-sued”
They taking responsibility for their domestic-terrorism? facilitating domestic adultry
More right-wing nut jobs wanting to tell everyone else how to be moral, but first let’s bomb the Middle East into submission and kill hundreds of thousands. Typical Trump and Rush mentality.
Interestingly, in that well-put-together PR statement, I did not see anyone denying having stored confidential information. Why aren’t lawyers tearing that apart?
Accessory to alienation of affection… I bet they can be sued in New York and illinois . if I were the owners I’d be packing my bags.
3 million users and I couldn’t find one woman lol fml hahaha
Some of the moralist rubes on this site have to make you laugh.
All right, children, gather round while I explain it to you: The person who hacked their site is a criminal, that’s right, A Very. Bad. Person. When (not if) he or she is caught, there will be criminal charges and prosecution. (And prison time. Lots of prison time.) There will also be civil charges relating to the damage of breaching the confidential records of many, many people and the devaluation of a company that was purported to be worth some $200M. Damages are likely to be more than the GDP of several smaller countries.
Whoever makes up “The Impact Team” just bit off an awful lot. 37 MILLION people with secrets to keep are going to be doing everything they reasonably can to keep those secrets. Some of them aren’t going to be reasonable. And some of them have money, power and influence.
The Impact Team had better hope they’re caught by legitimate authorities before someone else finds them.
I’ll point out one other thing.
How many of the 37 M AM users are in sensitive and/or highly prominent positions in their various governments? How many of them are in a position to be seriously compromised or otherwise damaged by the criminal hacking and release of AM data?
This may have crossed into the realm of National Security. There’s at least one three-letter agency (including one whose initials begin with ‘N’ and end with ‘A’) likely to be looking into this right now. If “The Impact Team” thinks they’re safe behind TOR or whatever they’re using to protect their anonymity, they may want to ask Ross Ulbricht how well that Dread Pirate Roberts gig worked out. He’s not hard to find these days.
Ever think some NSA folks might be moonlighting? After a long day of domestic spying and doing nothing about political and corporate criminals, relive a little stress and expose what you can get away with without exposing yourself. I just hope there are more exposures like this.
OK, let’s try another side of this equation… Ashley Madison exploits people who are in unhappy marriages by trying to rationalize if enough people do it, and it can support a multi-million dollar enterprise, it must be OK to do.
You imply the proof of the hacker(s) being bad is that if they get caught, bad things will happen to them legally. However, using similar logic, the owners of Ashely Madison will also likely end up with severe legal problems when the unknowing spouses sue them for creating an attractive nuisance, for encouraging this behavior (and capitalizing on it), for possibly providing supportive, secretive services which may have caused a spouse to acquire and spread dangerous diseases, for breaking up families, for potential financial damages to families, for breach of contracts to spouses, and ultimately the users of the website may also sue for breach of contract over assumption of privacy. Seems to me there is more than enough legal blame to go around to make them all “bad people”, the company owning the website, the users of the website, and the hackers (if they ever get caught).
I sort of see this like the Edward Snowden “theft” of information, it may have been illegal, but ethical. Might be a deterrent for the next person who wants to cheat on their spouse, just like Snowden has probably made the US government a little more shy about spying on their citizens and heads of state.
I’m glad someone said it!
Everyone seems to be praising this criminal for “doing bad things for good reasons”. It’s still horribly and very legally wrong. And s/he could do it to other more important companies.
Everyone, put your pitch forks down. If you want these member’s personal and financial information posted, post your own first.
I hope they publish.
Now you have these woman and men(not me,
I am not a member) who have names ,
Addresses, personal places and friends to get to these people who
Thought their info out there and be blackmailed. It is sad you have
To go through all this drama just to cheat on you wife or husband. If you were
Dating somebody from these sites you can now still have that
Nice car and house and whatever else you may have wanted. Especially
The one that really have a lot to lose. Karma Karma Karma
Too bad “what goes around comes around” 37 million times
Too bad “what goes around comes around” 37 million timeshare
I hope Leo Laporte doesn’t get in trouble …. again.
There are a lot of people here sitting on their high horse and judging others for being “dirt-bags” and “lying scum”. I was on AM for this reason…my husband was in an accident and has been rendered unable to perform sexually anymore. I love him, he loves me. A lot of time has passed and I had remained faithful although it has been very hard to deal with basically being celibate now and for the rest of my life. I’m human after all. I feel horribly that my husband has been rendered permanently celibate. It has been a few years (yes years), and my husband approached me and said he knows I love him but it kills him that I am in this position and asked me to find sexual comfort with another man. I resisted this many times, but he kept insisting. Eventually, call it weakness, I agreed. I was breaking down and needed it. The thought of never having sex again was too much. We mutually decided that AM was the way to go since it was discrete. We could find someone that we both approved of with no connections to us or anyone in our circle and keep it very quiet and not have this spread to our friends, family, colleagues, etc. We screened a few men but hadn’t yet selected one. We felt we could be choosy and find the right person if we were going to do this. Then the hack happened. Now our information and personal lives could be spread for the world to see, and our very personal and private situation would be scrutinized. I am a teacher and this scrutiny could cost me my job and reputation. I’m also a member of many youth and charity groups and this could cause me to lose all of that. You see, the info released doesn’t come with back stories. It just paints everyone as a liar, cheater, whore, or deviant. While maybe many of the people on the site meet those labels, it’s unfair to pigeon hole me as such. I hope the hackers consider that they could ruin some very real lives with very real stories by posting this info. Targeting the corporation for bilking people out of money and not providing the promised service is one thing, but targeting people like my husband and me who had private personal reasons for being on the site is cruel.
Are we expected to sympathize with Ashley Madison? I say release the information regardless.
I love how the morally-elite come out and say these cheaters are deserving of being exposed. I hope your spouse is on that list lol
I know this is a crime…but I have to find it kind of funny. The fact that this website exists repulses me, I have a hard time feeling sorry for it’s …ehem, victims.
I know this is a crime…but I have to find it kind of funny. The fact that this website exists repulses me, I have a hard time feeling sorry for it’s …ehem, victims.
I think it’s great! Everyone on the site should be exposed. I don’t care what the situation is or whether there are children involved. What is done to your spouse you’re already doing to your children as well. If you want to play around and if your spouse does’nt do it for you anymore, do the respectful thing first and get a divorce before you move on and hurt someone else or break up someone else’s marriage. Be real men or women!
good, the site is an absolutely disgusting idea anyway
Maybe it’s a sign that promoting infidelity in relationships is not good karma. Serves em right. Take her down!!
Serves em right, it’s a sign that promoting infidelity in relationships is bad karma. Take the whole site down.
YES TAKE A.M. AND THROW HER IN THE OCEAN. THIS IS EXACTLY WHAT THIS WEBSITE DESERVES. I HOPE THOSE HACKERS GET IT ALL
As 70 year old grandma who has been living a hell since finding out that our “ultimate” son in law subscribed to AM and had an affair with a married girl 15 years his junior… I say give the hackers a medal of honor. Do these sites have any idea of how many marriages are torn apart and children scarred forever by the fact that Daddy was bedding,wining and dining, gifting some slut who was trolling for a guy.. preferably a gift giver. Big Daddy should have been at home helping his nursing wife with two other small children so she had ENERGY to be his lover. Finally approaching divorce, the AM legacy is an almost destroyed smart, educated woman and three chldren who do not respect their mother because all their formative years they have watched their father act like all cheating husbands do.. treat their wives like they have the plague. But they are the ones who bring the little bugs home . I told the sick cheater that he will never know the pain until one of his own daughters comes to him suffering from the same scenario.. don’t think it even resonated with him
As his parents told me : It’s all about him, always was, and always will be”. There has to be a special hell for the AM crowd.
Maybe a jealous lover will castrate the creeps.