August 24, 2015

Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cybercriminals, but leaked emails from the company’s CEO suggest that AshleyMadison’s top leadership hacked into a competing dating service in 2012.

AshleyMadison CEO Noel Biderman. Source: Twitter.

AshleyMadison CEO Noel Biderman. Source: Twitter.

Late last week, the Impact Team — the hacking group that has claimed responsibility for leaking personal data on more than 30 million AshleyMadison users — released a 30-gigabyte archive that it said were emails lifted from AshleyMadison CEO Noel Biderman.

A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.

At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.

“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Neither Bhatia nor Biderman could be immediately reached for comment. KrebsOnSecurity.com spoke with Bhatia last week after the Impact Team made good on its threat to release the Ashley Madison user database. At the time, Bhatia was downplaying the leak, saying that his team of investigators had found no signs that the dump of data was legitimate, and that it looked like a number of fake data dumps the company had seen in the weeks prior. Hours later, the leak had been roundly confirmed as legitimate by countless users on Twitter who were able to find their personal data in the cache of account information posted online.

The leaked Biderman emails show that a few months before Bhatia infiltrated Nerve.com, AshleyMadison’s parent firm — Avid Life Media — was approached with an offer to partner with and/or invest in the property. Email messages show that Bhatia initially was interested enough to offer at least $20 million for the company along with a second property called flirts.com, but that AshleyMadison ultimately declined to pursue a deal.

More than six months after Bhatia came to Biderman with revelations of the nerve.com security vulnerabilities, Biderman was set to meet with several representatives of the company. “Should I tell them of their security hole?” Biderman wrote to Bhatia, who doesn’t appear to have responded to that question via email.

The cache of emails leaked from Biderman run from January 2012 to July 7, 2015 — less than two weeks before the attackers publicized their break-in on July 19. According to a press conference held by the Toronto Police today, AshleyMadison employees actually discovered the breach on the morning of July 12, 2015, when they came to work and powered on their computers only to find their screens commandeered  with the initial message from the Impact Team — a diatribe accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.

Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.

“Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison Director of Security Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase  has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].

As bad as this breach has been for AshleyMadison and its millions of users, it’s likely nowhere near over: Hackers who have been combing through the company’s leaked email records have just released a “selected dox” archive — a collection of documents, images and other data from Biderman’s inbox, including a 100-page movie script co-written by Biderman called “In Bed With Ashley Madison.” Also included in the archive are dozens of other sensitive documents, including a scan of the CEO’s drivers license, copies of personal checks, bank account numbers, home address, and his income statements for the last four years.

Also, the Impact Team still have not released data from the other Avid Life Media property they claim to have hacked — Establishedmen.com, a “sugar daddy” site that claims to connect wealthy men with willing young women.

Earlier today, Toronto Police announced that Avid Life Media had offered a $500,000 reward for information leading to the arrest and prosecution of the hacker or hackers responsible for the breach. But many readers took to Twitter or to the comments section on this site to denounce the bounty as an overdue or cynical ploy, with some saying the company should have offered the reward weeks ago — before the Impact Team released the company’s entire user database and caused so much irreversible damage.

Leaving aside the proliferation of sites that now allow suspicious spouses to search for their significant other’s email address in the AshleyMadison data leak, some users are finding themselves on the receiving end of online extortion attacks. Worse still, Toronto Police told reporters this morning that they have two unconfirmed reports of suicides associated with the leak of AshleyMadison customer profiles.


75 thoughts on “Leaked AshleyMadison Emails Suggest Execs Hacked Competitors

    1. Trent

      A couple of my favorite AshMad problems from a year ago that they discuss doing damage control over in the emails.

      https://www.youtube.com/watch?v=cmUMNTHvAiA

      https://www.youtube.com/watch?v=wwBiCy8qA0w

      Tsk tsk to those who don’t read terms. How many men did this piece of s**t site sucker into paying for credits just so they can talk to “angels” that don’t even exist. This should get more press.

      Watching that company do damage control over all the problems they faced in that email history was a hoot.

      I’m calling it now, inside job, someone high-up and disgruntled, someone who felt their time was at an end and new they’d be let go, someone still employed but with great access to everything. I’m thinking Trevor. Crazy, but some people really do want to watch the world burn.

      1. Big Al

        The data is incomplete. There are only 252,000 or so records that have name data.
        The vast majority of the data only has emails. The site is a chat site so they didn’t need to keep much data or than say sexual preferences and so on. If a user used a fictions email I doubt that they have much to worry about. The do keep zip codes, weight, height, eye colour, hair colour ect. So a user could come to conclusions about some one they knew. Some credit card details are kept card ending xxxx1234
        expiry date, name and address. They do not have 36 mill active users more like 16 mill.

        1. DD

          Hope this site comes down. Misery peddlers should suffer more than those who were hacked.

  1. E.G.

    A recent headline read, “Ashley Madison: Are we too dumb to cheat?”

    I think the answer might be “Yes.”

  2. amlolz

    They were also apparently trying to orchestrate an “anti-Ashley Madison campaign” in Israel, to have someone prominent come out AGAINST Ashley Madison.. for the publicity and traffic

    They also apparently contemplated targeting US govt workers during the US Govt shutdown, taking advantage of their despair

    Only 2 examples of their scummy tactics that I found in his email :/

  3. Bob E

    His picture in the article reminds me of Larry the Lounge Lizard.

    1. Barry

      Is that actually lipstick on his shirt collar? Sheesh….

      1. TG

        I think that’s just a fashion-forward take on ye olde luau shirt. Needs moar gold chains.

    2. Deek

      Surely that would be Leisure Suit Larry in the Land of the Lounge Lizards?

  4. Tommy

    So the companies have been humping each other! One data security problem that needs to be better known is that most modern office copiers contain a hard drive that records a copy of everything thats put through and scanned, maybe they sold an old one? 2nd hand copier anyone, go on its a data goldmine.

    1. sarcastic sam

      Somebody has been watching five-year-old 60 Minutes reruns.

      1. SeymourB

        Yeah, it’s sad but I have a number of executives who apparently watch five year old reruns too. That hole has been plugged for years now yet none of them can use a centralized system to send a fax because “someone could retrieve it!!11!” So we have a proliferation of executives with individual fax machines which regularly individually break down, each time creating hysteria because then they’d have to rely on those centralized systems that they can’t possibly do because zomg 60 minutes…

        1. sarcastic sam

          What is this “fax machine” you refer to? Is that where the guy with the green visor taps the button like a Parkinson’s patient? You may want to invest in some newer telephony technology.

  5. Back in Hack

    Great post ! The dating business relies mostly on getting men to subscribe and pay on website where there’s a low volume of women (who most of the time don’t really need to go on websites to get approached by men). A lot of dating website operate that way, the ratio in the industry being around 70-80% men, 20% women. We typically have here a LOT of things put on the public place, but one in particular is interesting : the data privacy regulations in Canada impose security measures for anyone processing personal data. I think the 500K bounty is a big diversion around the real problems AM will face that is they didn’t protect their user’s data according to the state of the art. I’m very interested in comments about that within the next weeks/month.
    Cheers,

  6. Stephen

    I guess that since this is all a Canadian situation, that the $500,000 is Canadian dollars and not USD. That’s only $376,772.72. Not worth the effort to investigate.

  7. Gail

    From the get-go, this smelled like an inside job. A disgruntled employee, IT or management, who was pissed about some slight….or was approached by AM’s comp to take them down. Given the personal data released on the CEO, seems like he made at least one very smart enemy.

    1. Paul C

      It could also be a security researcher or security firm that was contracted to perform vulnerability and penn-tests on their servers, found something, and got greedy.
      Or it could be a stroke of luck, I mean, Neiderman even said:
      “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging”

      1. SeymourB

        Actually it’d be relatively amusing if AM hired a firm to perform penetration testing, the CEO rubbed one of the testers the wrong way, then the firm had trouble collecting funds for the contract, leading to a pissed off tester doing something he shouldn’t have done.

  8. Gail

    Moral of this story? Like using the internet, human relationships always leave a trail of information and potential consequences (especially if you operate under the illusion of anonymity).

  9. Delilah Perez

    The CEO looks like a real douchebag in that photo.

  10. Jeremy G

    Ashley Madison filled a need. Married people want to cheat in an environment that promotes discretion (discretion coming largely from pairing them with other married people). Another site will pop up to take its place soon enough. Law of the jungle.

    If they’re smart, those responsible for this new site will only take payment in bitcoin, easily facilitate purchasing bitcoin at multiple third-party sites for unsophisticated users, suggest and facilitate using a separate email and google voice number for all off-site communication, and won’t even _ask_ for any personally identifying information beyond your location and the preferences stuff on your dating profile.

    At that point, the answer to “what happens when we get hacked” will be “you won’t care”. Also known as the only RIGHT answer.

    1. Historian

      I’m sure Jack the Ripper awaits the establishment of such a website with eager anticipation.

      A site with no way of verifying the identity of the customers is likely to be a site with lots of men and *no* women.

      Look at the problems with craigslist…

  11. Prosecute

    on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture. …

    “They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

    Criminal activity. Seize their servers and prosecute.

    1. Jay

      That’s a serious crime in both the U.S. and Canada, as the victim is an American company and the alleged criminals are officers in a Canadian company. Extradition is a possibility, whether or not the crime is prosecuted under Canadian law.

  12. John P

    They should have capitulated with the hackers demands and closed down the sites. Would have saved all this mess. Instead they threw all their members under a bus in a pointless attempt to save the company.

    1. Tom

      Dreaming of the IPO.

      It seems that they had a loose grip on reality.

  13. Ron

    Heard a preacher say last week “if you break natural law, it will break you.” He went on to say that marriage is a sacred bond created by God that cannot be broken by man once consummated -and no surprise then that adultery is one of the 10 commandments. So I guess we see the trials and tribulations of those who participate in its breakage.

    1. Doug Jackson

      actually, natural law dictates philandering. It’s un-natural laws that force people to get married to 1 spouse for life. It has to be forced, through law and moralistic teachings.

      1. LJ

        Last I checked – most people (in this country, anyway) get married by choice. Not being “forced” to get married. If you want to spread your seed – fine. Just be honest about it.

  14. BonnieBrae

    Was it a CEO? Was it an employee? Was it someone on the outside? How will I sleep at night until this is solved?

    1. BVR

      These questions and more will be answered in the next 100 MB of “Life is Too Short: Hack an Affair”

  15. Observer

    Brian,
    When you reported on Raja Bhatia’s response last week, something sounded fishy about him. First off, why would a company bring back their former CTO as a contractor to investigate a breach that occurred on his watch, and then secondly why would they allow him to make unscripted, “off the cuff” remarks about the breach. I remember thinking at the time that it was downright weird that the former CTO of the company would make statements that basically said “yeah, we don’t know if any of this is real- my Israel team found a bunch of fake data just this morning”. Does he not know how PGP signatures work? It didn’t smell right then, and it doesn’t smell right now. Regardless, if he were smart he would STFU and lawyer up, posthaste. There are admissions of felonies in this email archive, and while that may not be admissible in a criminal court my hunch is that there may be other evidence that is admissible. At the very least he may be facing civil liability.

  16. CooloutAC

    I could care less about the fact they ran a dating service for people cheating on romantic relationships, but the fact they lied and charged people almost 20 dollars to remove their personal info and never did, is criminal. So I found it fishy when the CTO downplayed the data dump claiming it wasn’t real, still claiming they don’t keep credit info. (probably put out the fake dumps themselves) And now there is proof peoples emails and credit cards were always on file, and they get exposed for hacking a competitors site. WOW. These guys deserve to get more then sued, I wouldn’t be surprised if they end up facing jail time.

  17. Louisa

    Hopefully he can now star in his own movie “The Mayor of Creeptown”

  18. Justin

    there are actually some far juicier details in Biderman’s email box, such as the fact that _he_ was having an affair.. check out communication with a Jasbe A. on the email dump, it doesnt leave much room for doubt. wonder how long it takes the press to pick up on that one.

    this dude practices what he preaches

  19. Delilah Perez

    Even though I commented earlier that the CEO looks like a major d-bag in that photo, I also think what the hackers did was wrong. In a free world, people should have the right to make their own choices. An older friend of mine told me that as late as 1975, women could have their entire lives destroyed merely by being caught having a drink in a gay bar, because there were often raids by the LAPD and the LASD (Sheriff’s Department). Women would be charged with all kinds of crimes, just for being in the bar.

    Wealthy families in these instances paid good money to have criminal charges against their daughters dismissed. I don’t see a difference in the two situations – what you do as a consenting adult really shouldn’t be someone else’s business.

    1. Sergey

      > In a free world, people should have the right to make their own choices.

      Well, they did. Nobody forced AM users to create their accounts. If they’re so open minded, I guess it’d be easy to persuade their spouses that lack of fidelity in a marriage is not big a deal.

      1. timeless

        Actually, some accounts were created by force. Remember: they didn’t verify email addresses.

        That means that when person A randomly enters the email address B at sign up to create an account, the person who owns email address B is now permanently marred by the action of person A. (There was an email message notifying the owner of email address B about such an action, but there was no effective way to do anything about the account.)

        And unfortunately, most people won’t bother to check to see if that’s what happened — it’s hard to prove.

        And the normal approaches of marking stuff as spam/deleting it means that whomever owns email address B won’t have any useful records. And since they could have deleted other email messages, no one would believe what the person who owns email address B says about not having been the one to create the account.

        And apparently, asking to have information removed by them (in person) didn’t actually do anything useful.

  20. Jerry

    Common sense must prevail at some point soon. Avid own their share of responsibility. Suicides will grow to their hundreds or thousands as time grays peoples judgement and perspectives. No business can even consider being a going concern with this baggage and direct accountability to their clients and revenue subscribers who pay their salaries.

    This is now blood money.

  21. brigitte

    Delilah Perez you’re point is that these adults were entitled to make their free choices. Adultary in most western countries isn’t illegal. Deception, betrayal, promotion of unrealistic delusional possibilities consequences do cause extreme pain and harm to spouses and their children. Such activities erode the marital/familial interelationships well before with discovered infidelity. Yes adults do have the freedom to make unethical dishonest choices if they so wish to gratify their basest selfseeking desires and enough seem to do so. Regardless of how much harm and hurt they cause family who trusted them, count on them to be fair. I get your point, these rights supercede all else. What’s puzzling is that you see this as so normal in people excercising their rights in infidelity, why can’t their spouses, kids, friends, etc. grasp such revelations as a non event. Also why are these AM members up to be revealed so frazzled?
    By the way your examples were poor, young singles making choices that only effected them.

    1. timeless

      Actually, some accounts were created by force. Remember: they didn’t verify email addresses.

      That means that when person A randomly enters the email address B at sign up to create an account, the person who owns email address B is now permanently marred by the action of person A. (There was an email message notifying the owner of email address B about such an action, but there was no effective way to do anything about the account.)

      And unfortunately, most people won’t bother to check to see if that’s what happened — it’s hard to prove.

      And the normal approaches of marking stuff as spam/deleting it means that whomever owns email address B won’t have any useful records. And since they could have deleted other email messages, no one would believe what the person who owns email address B says about not having been the one to create the account.

      And apparently, asking to have information removed by them (in person) didn’t actually do anything useful.

  22. harsha

    Why gmail is free or any other service who runs search engine will have made available to the whole world.
    Digital world needs to connect and big companies need valuable audience who can convert into prospective buyers or customers. Until things are free there cannot be accountability and things can be streamlined.

    1. NotGmail

      Gmail is by no means free. Everyone pays for it that buys things from anywhere. Companies that want to email their customers have to pay into whitelists for gmail, msn, yahoo, et al. This is a very expensive and time consuming process and not as simple as one might imagine.

  23. John

    Glassdoor is the next target for hackers, employees are bashing their employers and then Glassdoor is going after the employers for “subscribe and they will ‘help’ the employers to improve their score.

    1. DD

      Was the information provided the same as allaboutashley.cr? Thanks

    2. DD

      It may also mean that they are not using a complete database? Therefore, it may not have your name or address, but that may not mean that it isn’t there. What do you think? Have you checked on other search sites?

  24. jon p

    “Infiltrate” and not “exfiltrate”.
    Exfiltrate means to withdraw from an area.
    It never means to steal something or take something.

    1. Robert.Walter

      In the broader sense it means to remove something.

      The idea of object or data exfiltration is nothing new.

  25. Robert.Walter

    So who will prosecute the ALM team for its illegal activity?

Comments are closed.