Sep 15

Ex-Ashley Madison CTO Threatens Libel Suit

Last month, KrebsOnSecurity posted an exclusive story about emails leaked from AshleyMadison that suggested the company’s former chief technology officer Raja Bhatia hacked into a rival firm in 2012. Now, an attorney for the former executive is threatening a libel lawsuit against this author unless the story is retracted.

According to Bhatia’s attorney, the part of the story they consider defamatory has to do with the headline of the piece, and this bit:

“A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.

At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.

“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Libel lawsuits in the United States are usually quite difficult and expensive for the plaintiff to win. But in Canada — where Bhatia’s attorney and AshleyMadison’s parent company Avid Life Media are headquartered — the libel laws are more complex for defendants. For example, according my consultation with a prominent Canadian digital media attorney, the onus there is on the accused to prove the disputed libelous claims are in fact true.

Nevertheless, I have no intention of posting a retraction or correcting any elements of this story. But I’m publishing a copy of the letter (PDF) from Bhatia’s lawyer in the likely event that other publications have also received libel and defamation threats from AshleyMadison and/or its current and former employees.

A story at Wired.com from Kim Zetter that ran shortly after my piece aired includes quite a few more colorful quotes from leaked emails Bhatia allegedly sent to AshMad CEO Noel Biderman.

Update, 11:49 a.m. ET: Added reference to Wired piece as the last sentence of this story.

Tags: , , ,


  1. “Raja Bhatia”: Sounds suspicious to me. Just ignore the dothead and – as someone posted earlier – stick to your principles! You do a great job!

    • A name is suspicious because it’s Indian? ‘dothead’? Jeez.

      • Well, they are known for their “creativity” aren’t they?

        • You are quite racist in your comments… guess according to you every Indian is an expert hacker.

          Jeez… go back into your closet – lest a “dothead” hack your computer and showcase your bigotry to the world.

    • “dothead”? Wow.. Shouldn’t you be on Fox News or some such right now screaming about confederate flags and America having a black Muslim president?

      • Allan’s an idiot. I’m with you on that. However, painting everyone from the South as a racist yo make your point really isn’t any better.

        • I did not call everyone in the South a racist. I did, however, imply that someone who would use the term “dothead” is likely also upset about the confederate flag bannings.

          For the record, I live in Northern Ohio and there is currently a big to-do about a local county fair board refusing to ban confederate flag sales at an upcoming fair. This is not a Southern issue, it is an American issue.

      • Now that’s a racist comment, but it is not unexpected coming from a liberal.

        • Are you honestly suggesting that people who watch Fox News and wave confederate flags AND think Obama is a secret muslim are all members of another race?

          So… is everyone who doesn’t do that a lizardperson, reverse vampire, etc.?

  2. http://naymarklaw.com/: “Website coming soon. Open Sept. 1st 2015.” Clowns or what?

  3. If the emails are authentic, as I can assume since you referred to them in your original post, they certainly point towards the afformentioned people as having an open discussion on the hackability of the AM website. I agree with the other comments that they are trying to scare you into submission since they really do have some explaining to do!

  4. When a perp sued deepcapture.com for libel, I believe the ruling of the Canadian judge before they responded resulted in their US webservers shutting down the site. They were off line for several months and have yet to reinstate the entire site content before they were sued.

    • That really depends on the hosting company. Some have a “shoot first, ask questions later” approach.
      I think Brian’s hoster is used to working with him, he probably gets DDOSed all the time.

  5. In the comment section to the article, “Who Hacked Ashley Madison?”, Brian specifically defended the CTO when i seemed to implicate him. I quote:

    Eamon Nelson
    August 27, 2015 at 5:32 pm
    3 questions for Brian:
    1) Is it fair to say that you have been in touch with the CEO and ex-CFO of AM from the initial threat to release?
    2) Are you now or have you ever been retained by AM to search out the hackers of AM.
    3) Have you previously considered or will you consider the possibility that an AM insider(the ex-CFO who hacked nerve.com) was involved in this hacking of AM. My apologires if I am treading on old turf here…I haven’t followed that closely.

    August 27, 2015 at 7:47 pm
    1) no
    2) no
    3) Insider? I believe that was mentioned by the CEO as a strong possibility in the first story about this. but the former CTO? Seems unlikely.

  6. As the Wired piece aptly points out, if we are to infer anything from previous successful convictions under the vague and overly broad interpretations of the Computer Fraud and Abuse Act, it would not be unreasonable that Raja Bhatia could expect to be extradited and prosecuted based on the alleged leaked statements. A search warrant for his personal hard drives as well as those of other current and former executives and/or contractors would be unquestionably easy to obtain based on the established relationships shared between the US and Canada. It comes as no surprise that he has retained counsel and is likely attempting to head off any potential or ongoing criminal investigation into these allegations.

  7. After reading the three paragraphs above that are the reason for which Mr. Bhatia’s lawyer is threatening to sue, I would say simply retract and state what is real. What was done is not “hacking” as much as it that he discovered a vulnerability in the website and let the website know.

    I’d say just keep it simple and clarify the statement. Anyone urging you to get involved in a lawsuit is ridiculous. That’s a whole lot of time, trouble, and money you don’t need to expend in that way.

    Further, Canadian law is significantly different than U.S. law on these topics. Even if you were to win the case, which is dubious, you would not be expanding on U.S. law, since the case is Canadian.

    And fyi, I am a lawyer for independent media. I have been approached by victims of the A.M. user data dump. The one helpful thing Ashley Madison could be doing is using DMCA notices to have the databases removed off all the many locations on Google, since the users themselves do not have DMCA rights. That would at least show that Ashley Madison cares and is respectful of the users.

    • I’d call it damage control, or pissing on a 5 alarm fire, than caring.

      • It would be greatly appreciated by the AM website users whose names have been put onto Google Fusion tables, along with their home addresses, to have AM take steps quickly to have all those Google Fusion tables removed, either as copyright violations, trade secrets, or fruits of crime. It seems like the only right and decent thing to do.

        • Quite frankly, the time for AM to act has already passed the world over several times. I say this, because all that data has been replicated across the top of the internet and is permanently stored in Internet History forever. The data that was taken has already been sold and traded over the Dark Net, and several people who had a curious bone in them already has the data, and even if Google and other Database Warehouses were forced to remove the data, all that data could easily be reintroduced. AM failed to keep their promise to keep customer data private and secured, and to maintain security standards on that data. If Raja did in fact hack nerve.com, then he needs to be held accountable for breaking several federal laws one in which particular is https://www.law.cornell.edu/uscode/text/18/1030. It also boils down to Corporate Espionage another Federal Law violated. I cannot speak to the laws broken in Canada, as I am not a Canadian.

    • Please correct me if I am wrong, but would the database basically be viewed as just statistical data, which usually is not copyrightable in the US? Would DMCA even apply to a raw dump of such data?

      • That is a very good question and a good point that you make. The data is definitely “trade secrets.” There is no benefit to Google or to the public in not removing the data.

    • Exploiting vulnerabilities to get an entire user database and then take possession of it isn’t illegal? Where are you credentialed to practice law?

      • It is interesting how your know-it-all style of rage causes you to attack the person with whom you disagree. It is an attitude not conducive to collegiality or discovery.

        Computer vulnerabilities are often discovered quite innocently and finding one is not considered a crime. In fact, finding one is often financially rewarded by the company with the vulnerability. If you wish to understand more about the U.S. law on this topic, you might wish to read the appeal on United States v Andrew Auernheimer, which addresses this particular topic.

        If a competitor finds a vulnerability in a competing website, but neither informs the competitor, nor trashes the competing website, is this a crime? That is a legal question I do not think has been addressed by the courts.

        Taken as an analogy to a physical product, if a company finds a defect in the product of a competitor, is the company required to inform the competitor?

        I am not much of a computer person. I make websites and know a little coding, and use music creation and video creation programs. Yet, I have quite innocently located vulnerabilities simply by using websites. This is not any more illegal than figuring out that a park bench is wobbly by sitting on it. If I did so and worked for a competing park bench company, I would use that knowledge to allow my company to make superior park benches. This seems to be what “competition” is all about.

        If, however, someone might be injured by the competitor’s wobbly park bench, then I might have an obligation to inform the company, the public, or some safety agency. But these are all complex questions that are not easily answered in a comment on a comment board.

        • It is my belief that searching for a vulnerability in a website is a EULAgy violation, in some jurisdictions it would be considered a DoS. (Connecticut, I’m looking at you)
          Finding one would be trespassing, if not unlawful entry.
          Not reporting one? I’ll leave that for the lawyers, it’s prolly a BAD one.
          And :) in all likelyhood he was crossing state or national boundaries during his route and therefore in violation of federal laws including the commerce clause.

          :) enjoy your naivete, this is how Aaron died.
          Welcome to the 21st century.

        • Your analogies fall far short of a crucial fact: possession of inappropriately obtained property. Try again, please. I too spend my days in the legal industry…

        • IANAL, but I believe it is very simple. A user or competitor of a web site/product has no legal obligation to report venerability or defect. Unless, there is a contractual or special relationship to the owner, I believe there is no duty owed.

          For example, if your web site has a defect (I don’t know if it does, but this is only hypothetical) that allows me to access all your client’s files, I as a member of the general public would not have a duty. Your law partners (or associates) would because of their duties to your client, opposing counsel might because of some of the clawback rules, opposing parties would generally not because they have no duty.

          Now, when it comes to moral obligation, that is a different story.

    • I question your “independence.” What you have stated is a combination of veiled-economic threat and an extension of the legal letter sent to Mr. Krebs. Also you state falsely that the ex-CTO informed the website of its vulnerability. There is no record(insofar as I am aware) of that. He DID inform his former CEO that he had the entire user base. His former CEO cried “HOLY MOLY!” and sought to push him further.The trail,to this point,ends there. Not much professional about his behaviour considering that he admittedly knew of AM’s vulnerabilities.

      • I had to look closely to see if your paranoid conspiracy comment was aimed at me. Apparently it is, so I shall address it.

        Explaining that lawsuits are exorbitantly expensive, in your mind, is a “veiled economic threat.” If someone tells you that a certain pair of shoes would cost $500, would you say that person is making a veiled threat and in a conspiracy with the shoe company, because that person knows the price? Your assertions toward and about me are absurd and disturbed.

        Many people are shocked to find that even if they were to “win” a lawsuit, it would still cost them hundreds of thousands of dollars and take up exorbitant amounts of their time for at least several years. Anyone that pushes another person to spend their money and time in that way is the one to be seriously questioned.

        It also sounds as if you have not read the letter from Mr. Bhatia’s lawyer, where he is stating that the facts are different from those presented. It is highly risky to base one’s conclusions on cherry-picked partial statements from “leaked” emails that have not even been verified as real or accurate.

        Even if emails are real, people have many different reasons for what they write in emails, and not all of them are about telling the truth. Other reasons can include bragging or social engineering to elicit information.

        The lawyer’s letter states very clearly:

        “Mr. Bhatia did not hack Nerve.com. He merely noticed a readily apparent inadequacy in the site’s security and remarked on that observation to Mr. Biderman without attempting to bypass
        its security or to exploit the gap by downloading or manipulating Nerve.com’s database”

        Noticing a “readily apparent inadequacy in a site’s security” is quite common. It isn’t hacking and it isn’t a crime. It is simply being aware that a site is not working properly.

        • I beg to differ. Conspiracy? Sorry I had not given your remarks that much thought though your sensitivities will perhaps cause me to do so. As I stated, however, your emphasis upon the need for retraction is misguided and gives an appearance of partiality. Fine, but as a lawyer you ought to know that threats-of-litigation go out all the time having, in reality, no such intent. At this point I suspect the LAST place Mr. Bhatia and his lawyer wish to be is in a courtroom. Why? “I have their user base” is a hack! Sort of as if i were to say to you. “I have all your clients, their sexual preferences, fantasies, photographs and the ability to turn any one of them into a paying or non-paying client all through a readily apparent vulnerability in you website of which i have informed only your opposing litigators.” Innocent stuff!

          • Googling “susan basko attorney” finds some amusing reading…

            Then again, in this charming new world of ours, perhaps “all publicity is good publicity.”

            • Those stalking me are no-name, no-succcess losers angry that a woman can be educated, credentialed, and effective at what she does. It is a neanderthal attempt to hold women down.

              Why do you find internet attacks on women “amusing”?

        • For starters:

          Maybe what is needed is a RICO action against the executive of Ashley Madison ( European Community v. RJR Nabisco, Inc.,)

          Let’s see kacking under the Computer and Fraud Act
          emails stating they have the entire user base. Asking with the intent in turning non-paying customer into paying customersfrom the verge.com database

          Fraud by misusing the DMCA take down notices illegally


          Fraud by indicating the number of women using the site when most of them were fembots.

          Misrepresent by asserting all over the site the security of the information when in fact internal email reveal a different story, thereby committing consumer fraud

          Promisings deletion of customer confidential information when in fact that did not occurred, whereby committing consumer fraud and theft of consumer funds

          Money laundery to off shore banks and holding companies.

          Engaging in human trafficing by soliciting women in other countries to enter false information on green cards.

          These women were used as escorts in illegal prostition

          Everyone should file a complaint with the State Attorney General of the state they reside in. Each member should file a complaint with the FTC.

          Hoepfully criminal indictments will be handed down to the sleezly excutives of this sleeze organiztion.

          Finally, Susan Basko, Esq, from your comments, I suggest brushing up on criminal law, tort law, case law, as it is surely lacking in your statements

          More is yet to be revealed!

          • I get it. By posting here as a lawyer, that brings out all the trolls with a high school education that want to “prove” they are smarter than me. It happens every time.

            Sorry, I paid close attention and took lots of notes through at least 10 years of post-secondary education and darn it, I learned a few things.

            Just for starters, let me enlighten you to the fact the Ashley Madison company is not even in the U.S. Go hurry and google about Canadian law for a minute and come back and post another reply.

            • Toll, I think not. Your criminal trial and law experience: nada…better brush up on it., it coming your way. Shouldn’t have opened pandora’s box.

              Non-US companies and executives at risk from US RICO law Second Circuit Court of Appeals
              “Potential exposure to criminal and civil liability under U.S. law must now be considered by businesses no matter where they are headquartered and operate…
              …This Letter alerts you to a new development in this area: an expansive interpretation of a U.S. law targeting money laundering and other racketeering crimes conducted outside of the United States…Typical RICO defendants now include publicly-traded companies and corporate executives and applies to the predicate acts under RICO.

              And dang it, I also took notes as well, as I have criminal legal experience and law enforcement background (criminal justice, law school), working with the FBI, DEA etc. And I beat you with two post secondary education degrees with a total of 5 earned degrees.

              Your insecurity is showing with your posts. Top lawyers do not post, troll, threaten, intimidate or monitor websites. Their action is in the court room.

              Whoever is given advice to Ashley Madison should be fired as it keeps them in the limelight with regard to the ‘ Streisand Effect Meme’. An inept attempt on the part of legal counsel to keep something hidden -which by the way should be the strategy in this case- having instead the opposite effect of publicising to the whole world.

              This in effect is a deliberate attempt on the part of Ashley Madison et al to bring more attention to the defendants in this case with cause.

              So I must believe, that the typical Hollywood strategy and biggest PR myth of all: There’s No Such Thing as Bad Publicity is being applied here in this case. A really huge blunder with a hubris belief that this will bring more business to this company disregarding the fact that other legal issues outside of this scope are being generated as we speak. Such short lived hubris will be their downfall.

        • Hmmm….threats to sue unless a retraction…I wonder where I have heard that before. Birds of a feather…etc.

  8. HA ! They willing, both past and present cannot fathom their nearly sober realistic expectations of a hack, leak, insider threat or self induced head banging on the desk.

    So they turn around and are trying to point fingers and leech out any potential cash from people who provide pretty accurate information.

    Since that missive was there working, he too should be at fault for being part of that privacy cluster…. The more I read about that place, it appears nothing more than a scam for people wanting to join something that is less than desirable in the community’s eyes.

    The only people that need to stand down and go away are those that started this mess in the first place. Inside they new they had holes, knew it was a matter of time before they got hacked and they have the mindless desire to throw mud?

    He must have been paid well in order to afford time off work to sit in a courtroom. Maybe there he will have a chance of following a process and actually doing something right (Buzzer…. wrong). Its pretty obvious that his way in the land of IT is not the path for him.

    It’s freedom of speech. And a knee-jerk reaction, since the sting of truth landed squarely upon his thick skull.

  9. Allan Ewing… your RACIST ignorance shines! People all over the world should meet you on social networks and express their dismay with your racism. You’re an embarrassment to the civilized world…

  10. A Telco Security Dweeb

    I am personally quite conversant with Canadian libel law and I would state that Mr. Bhatia is attempting to intimidate you with a lawsuit that has at best a marginal chance of success.

    While it is (partly) true that Canadian libel and defamation law differs from corresponding American law, the key consideration here would be the extent to which Mr. Bhatia could plausibly claim that his personal reputation had been “defamed” by you publishing what appear to be straight-forward assertions of fact.

    Consider, for context, that many lawsuits involving much more serious allegations of personal moral turpitude (e.g. embezzlement, sexual indiscretions, etc.) brought in Canada have failed, largely because the plaintiff was unable to establish that his or her personal reputation had been sufficiently harmed in the public sphere (or that the allegations should have been known to be untrue, on the part of the defendant), to merit damages against the defendant.

    This comes up quite frequently with litigious parties in Canada, notably the disgraced former financier Conrad Black who had a reputation of suing the news media every time they accurately reported criminal charges or convictions against him. We have also lately had the case of Jian Ghomeshi, a former CBC radio host who was accused of sexual misconduct and who threatened lawsuits against media outlets who repeated the allegations… but he had to withdraw these lawsuits upon being advised that he had a low chance of success.

    Each case is different, but I would imagine that Mr. Bhatia would have a very difficult time proving that you had “impugned his reputation” in a manner sufficient to merit actual damages… court costs are another matter, of course.

    The bottom line is, this is a classic case of attempted intimidation of the media via “libel jurisdiction shopping”. You should not stand for it, Brian. Call Mr. Bhatia’s bluff.

  11. A Telco Security Dweeb

    Oh, and one other thing about libel law in Canada — consider the recent, notorious case of Rob Ford, the (in)famous crack-smoking Mayor of Toronto.

    He repeatedly threatened the news media, notably the Toronto Star newspaper and the CBC, with lawsuits over their reporting of his personal behavior, and in one case he actually filed a suit… but had to withdraw it when it was clear that he didn’t have a chance of success.

    It is true that Canadian libel and defamation law, having been more closely derived from U.K. tradition than U.S. libel law, is somewhat more favourable to plaintiffs, than is the case in the U.S.. But it is NOT true that it allows you to be “sued any time you say something uncomplimentary about somebody”. Canadian libel law has very strict rules about what kinds of allegations are defamatory and what standards of evidence are required to prove a claim. In my view, Mr. Bhatia’s threats are nowhere near that threshold.

    • Is the loser in Canadian libel cases liable for the expenses of the winner, as in jolly old England? As David Irving was bankrupted by losing his suit against Deborah Lipstadt?

  12. As always, you shine in the reporting of security topics.
    We would all fund your defense.

    Thanks for the best security reporting on the web.

    At least this guy has a lawyer and is not a russian mobster :)

    Bash on!

  13. Start that GoFundMe for legal fees now…I’m sure you could probably raise a lot of donated money to help you defend against this brazen douchebag.

  14. Another nail in the coffin of Ashley Madison’s ethical credibility : most of the “women” that AM’s customers were engaging with were bots – only 5% of AM’s signed-up customers were female.


  15. 11 million ought to tie that wanna be CTO in courts for the lack of due diligence and admission to hacks and failure to meet the prudent man rule…


    They just don’t get it…. if they leave this stuff alone, it dies on the vine. They keep pushing the stinking crap pot on the burner, and then whack their head on a key-“bored” when they realize they are back in the spotlight.

    They are beyond hope.

  16. So the lawyer is claiming his client didn’t take the whole user base and wasn’t working for Avid Life Media at the time.

    So you only have to retract one word right? Just change the boss line to former boss.

    The lawyer trying to say his client didn’t take any data, while his client is quoted in the article saying ‘I got their entire user base’.

    Seems like an easy win.

  17. Seriously Avid Life Media and Ashley Madisons are seriously retards, unable to get their hands on the culprit, they sue anybody.

    What a bunch of fucking morons.

  18. Noel to Raja: “Do you still have [nerve.com’s] database? (On news of their acquisition.)
    Raja: “Yup”


    The most interesting legal question now is why the Toronto Police or the RCMP haven’t yet seized all of Raja’s, Noel’s, and ALM’s hardware.

  19. Brian,

    I am sure your readers around the world (I live in Ireland) would be very happy to crowdfund your defence if you get sued. This kind of stuff needs to be faced down.

  20. Keep up the good work, Brian. I don’t think this sleezeball will prevail.


  21. It sounds like you are protected by the SPEECH Act, as long as you never go to countries that will recognize a Canadian libel judgement. Good luck with that!

  22. History of shady marketers. Interesting article about the value of mailing lists for marketing and selling questionable products and where AM might fit in.


  23. We are all with you Brian, in fact if you wanted to start a legal defense fund using indiegogo we would donate of course.

  24. Cheers, Brian! I like you more already! 😉 Keep us posted on any legal defense fund!

  25. Bhatia will not sue.

    If he did, either in the United States or Canada, Krebs would be able to use the court discovery process to prove that the article was true. That means Krebs’s lawyers could force Bhatia to submit to a deposition or sworn court testimony about exactly what he did to Nerve.com, and moreover, the questions could delve into other hacks that haven’t even been revealed yet.

    That means no more hiding behind lawyer letters, he’d be forced to answer questions directly, in an oral examination, under oath. If the case was in the United States, Bhatia would probably end up taking the Fifth Amendment in a deposition so as to avoid answering what he meant by, “I got their entire user base.”

    I am honestly not sure why he is not facing criminal charges, or at least a civil suit from Nerve.com for his conduct. But Bhatia knows that if he sued, he would be placing himself in severe legal jeopardy. That’s why this is likely little more than a frivolous “take-down” type of letter with no follow-through.