August 24, 2015

Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cybercriminals, but leaked emails from the company’s CEO suggest that AshleyMadison’s top leadership hacked into a competing dating service in 2012.

AshleyMadison CEO Noel Biderman. Source: Twitter.

AshleyMadison CEO Noel Biderman. Source: Twitter.

Late last week, the Impact Team — the hacking group that has claimed responsibility for leaking personal data on more than 30 million AshleyMadison users — released a 30-gigabyte archive that it said were emails lifted from AshleyMadison CEO Noel Biderman.

A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.

At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.

“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Neither Bhatia nor Biderman could be immediately reached for comment. KrebsOnSecurity.com spoke with Bhatia last week after the Impact Team made good on its threat to release the Ashley Madison user database. At the time, Bhatia was downplaying the leak, saying that his team of investigators had found no signs that the dump of data was legitimate, and that it looked like a number of fake data dumps the company had seen in the weeks prior. Hours later, the leak had been roundly confirmed as legitimate by countless users on Twitter who were able to find their personal data in the cache of account information posted online.

The leaked Biderman emails show that a few months before Bhatia infiltrated Nerve.com, AshleyMadison’s parent firm — Avid Life Media — was approached with an offer to partner with and/or invest in the property. Email messages show that Bhatia initially was interested enough to offer at least $20 million for the company along with a second property called flirts.com, but that AshleyMadison ultimately declined to pursue a deal.

More than six months after Bhatia came to Biderman with revelations of the nerve.com security vulnerabilities, Biderman was set to meet with several representatives of the company. “Should I tell them of their security hole?” Biderman wrote to Bhatia, who doesn’t appear to have responded to that question via email.

The cache of emails leaked from Biderman run from January 2012 to July 7, 2015 — less than two weeks before the attackers publicized their break-in on July 19. According to a press conference held by the Toronto Police today, AshleyMadison employees actually discovered the breach on the morning of July 12, 2015, when they came to work and powered on their computers only to find their screens commandeered  with the initial message from the Impact Team — a diatribe accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.

Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.

“Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison Director of Security Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase  has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].

As bad as this breach has been for AshleyMadison and its millions of users, it’s likely nowhere near over: Hackers who have been combing through the company’s leaked email records have just released a “selected dox” archive — a collection of documents, images and other data from Biderman’s inbox, including a 100-page movie script co-written by Biderman called “In Bed With Ashley Madison.” Also included in the archive are dozens of other sensitive documents, including a scan of the CEO’s drivers license, copies of personal checks, bank account numbers, home address, and his income statements for the last four years.

Also, the Impact Team still have not released data from the other Avid Life Media property they claim to have hacked — Establishedmen.com, a “sugar daddy” site that claims to connect wealthy men with willing young women.

Earlier today, Toronto Police announced that Avid Life Media had offered a $500,000 reward for information leading to the arrest and prosecution of the hacker or hackers responsible for the breach. But many readers took to Twitter or to the comments section on this site to denounce the bounty as an overdue or cynical ploy, with some saying the company should have offered the reward weeks ago — before the Impact Team released the company’s entire user database and caused so much irreversible damage.

Leaving aside the proliferation of sites that now allow suspicious spouses to search for their significant other’s email address in the AshleyMadison data leak, some users are finding themselves on the receiving end of online extortion attacks. Worse still, Toronto Police told reporters this morning that they have two unconfirmed reports of suicides associated with the leak of AshleyMadison customer profiles.


75 thoughts on “Leaked AshleyMadison Emails Suggest Execs Hacked Competitors

  1. Andrew

    This is why I don’t mix my personal data with workplace data.

  2. Adulteres.org

    The 500 000$ offer arrives to late …
    But we still don’t know who the hacker is …
    Someone from the inside ?
    Possible. AM’s datas are huge ! It needs time to save so many datas …

  3. DD

    You should take this site down. What’s the point you are making? Your worse than those who signed up for the site, actually. How can you look at yourself in the mirror?

  4. NOTYOU

    was this site take down or it just crashed due to high traffic?

  5. Sokol L

    Brian – This post should be removed as it was under one of your other stories.

  6. Greg Scott

    Hey Brian, there’s a typo in this sentence:

    > Also included in the archive are dozens of other sensitive
    > documents, including a scan of the CEO’s drivers licence, copies
    > of personal checks, bank account numbers, home address, and
    > his income statements for the last four years.

    The word, “licence” should be “license.”

    Sorry to be picky. I’m a writer too and typos sometimes jump off the page at me. You are sort-of in my new book BTW – here’s a link to my ad landing page:

    http://www.bullseyebreach.com/do-recent-sensational-data-breach-headlines-bother-you/

    – Greg Scott

    1. Bob

      Actually Greg, licence is spelled correctly. It’s the Canadian spelling.

  7. job

    Hurrah, that’s what I was searching for, what a data!
    present here at this website, thanks admin of this website.

  8. Marty

    Hi Brian,

    I’ve been an avid follower of your reports for years, mainly through your RSS feed which I obtained through My Yahoo. However, your RSS feed doesn’t seem to be working any more, either through Yahoo or through Firefox’s Live Bookmarks. Can you check into this? Thanks.

Comments are closed.