July 26, 2022

It’s been seven years since the online cheating site AshleyMadison.com was hacked and highly sensitive data about its users posted online. The leak led to the public shaming and extortion of many Ashley Madison users, and to at least two suicides. To date, little is publicly known about the perpetrators or the true motivation for the attack. But a recent review of Ashley Madison mentions across Russian cybercrime forums and far-right websites in the months leading up to the hack revealed some previously unreported details that may deserve further scrutiny.

As first reported by KrebsOnSecurity on July 19, 2015, a group calling itself the “Impact Team” released data sampled from millions of users, as well as maps of internal company servers, employee network account information, company bank details and salary information.

The Impact Team said it decided to publish the information because ALM “profits on the pain of others,” and in response to a paid “full delete” service Ashley Madison parent firm Avid Life Media offered that allowed members to completely erase their profile information for a $19 fee.

According to the hackers, although the delete feature promised “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — weren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

A snippet of the message left behind by the Impact Team.

The Impact Team said ALM had one month to take Ashley Madison offline, along with a sister property called Established Men. The hackers promised that if a month passed and the company did not capitulate, it would release “all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.”

Exactly 30 days later, on Aug. 18, 2015, the Impact Team posted a “Time’s up!” message online, along with links to 60 gigabytes of Ashley Madison user data.

AN URGE TO DESTROY ALM

One aspect of the Ashley Madison breach that’s always bothered me is how the perpetrators largely cast themselves as fighting a crooked company that broke their privacy promises, and how this narrative was sustained at least until the Impact Team decided to leak all of the stolen user account data in August 2015.

Granted, ALM had a lot to answer for. For starters, after the breach it became clear that a great many of the female Ashley Madison profiles were either bots or created once and never used again. Experts combing through the leaked user data determined that fewer than one percent of the female profiles on Ashley Madison had been used on a regular basis, and the rest were used just once — on the day they were created. On top of that, researchers found 84 percent of the profiles were male.

But the Impact Team had to know that ALM would never comply with their demands to dismantle Ashley Madison and Established Men. In 2014, ALM reported revenues of $115 million. There was little chance the company was going to shut down some of its biggest money machines.

Hence, it appears the Impact Team’s goal all along was to create prodigious amounts of drama and tension by announcing the hack of a major cheating website, and then letting that drama play out over the next few months as millions of exposed Ashley Madison users freaked out and became the targets of extortion attacks and public shaming.

Robert Graham, CEO of Errata Security, penned a blog post in 2015 concluding that the moral outrage professed by the Impact Team was pure posturing.

“They appear to be motivated by the immorality of adultery, but in all probability, their motivation is that #1 it’s fun and #2 because they can,” Graham wrote.

Per Thorsheim, a security researcher in Norway, told Wired at the time that he believed the Impact Team was motivated by an urge to destroy ALM with as much aggression as they could muster.

“It’s not just for the fun and ‘because we can,’ nor is it just what I would call ‘moralistic fundamentalism,'” Thorsheim told Wired. “Given that the company had been moving toward an IPO right before the hack went public, the timing of the data leaks was likely no coincidence.”

NEO-NAZIS TARGET ASHLEY MADISON CEO

As the seventh anniversary of the Ashley Madison hack rolled around, KrebsOnSecurity went back and looked for any mentions of Ashley Madison or ALM on cybercrime forums in the months leading up to the Impact Team’s initial announcement of the breach on July 19, 2015. There wasn’t much, except a Russian guy offering to sell payment and contact information on 32 million AshleyMadison users, and a bunch of Nazis upset about a successful Jewish CEO promoting adultery.

Cyber intelligence firm Intel 471 recorded a series of posts by a user with the handle “Brutium” on the Russian-language cybercrime forum Antichat between 2014 and 2016. Brutium routinely advertised the sale of large, hacked databases, and on Jan. 24, 2015, this user posted a thread offering to sell data on 32 million Ashley Madison users:

“Data from July 2015
Total ~32 Million contacts:
full name; email; phone numbers; payment, etc.”

It’s unclear whether the postdated “July 2015” statement was a typo, or if Brutium updated that sales thread at some point. There is also no indication whether anyone purchased the information. Brutium’s profile has since been removed from the Antichat forum.

Flashpoint is a threat intelligence company in New York City that keeps tabs on hundreds of cybercrime forums, as well as extremist and hate websites. A search in Flashpoint for mentions of Ashley Madison or ALM prior to July 19, 2015 shows that in the six months leading up to the hack, Ashley Madison and its then-CEO Noel Biderman became a frequent subject of derision across multiple neo-Nazi websites.

On Jan. 14, 2015, a member of the neo-Nazi forum Stormfront posted a lively thread about Ashley Madison in the general discussion area titled, “Jewish owned dating website promoting adultery.”

On July 3, 2015, Andrew Anglin, the editor of the alt-right publication Daily Stormer, posted excerpts about Biderman from a story titled, “Jewish Hyper-Sexualization of Western Culture,” which referred to Biderman as the “Jewish King of Infidelity.”

On July 10, a mocking montage of Biderman photos with racist captions was posted to the extremist website Vanguard News Network, as part of a thread called “Jews normalize sexual perversion.”

“Biderman himself says he’s a happily married father of two and does not cheat,” reads the story posted by Anglin on the Daily Stormer. “In an interview with the ‘Current Affair’ program in Australia, he admitted that if he found out his own wife was accessing his cheater’s site, ‘I would be devastated.'”

The leaked AshleyMadison data included more than three years’ worth of emails stolen from Biderman. The hackers told Motherboard in 2015 they had 300 GB worth of employee emails, but that they saw no need to dump the inboxes of other company employees.

Several media outlets pounced on salacious exchanges in Biderman’s emails as proof he had carried on multiple affairs. Biderman resigned as CEO on Aug. 28, 2015. The last message in the archive of Biderman’s stolen emails was dated July 7, 2015 — almost two weeks before the Impact Team would announce their hack.

Biderman told KrebsOnSecurity on July 19, 2015 that the company believed the hacker was some type of insider.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

Certain language in the Impact Team’s manifesto seemed to support this theory, such as the line: “For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.”

But despite ALM offering a belated $500,000 reward for information leading to the arrest and conviction of those responsible, to this day no one has been charged in connection with the hack.


55 thoughts on “A Retrospective on the 2015 Ashley Madison Breach

  1. Scott Stone

    You’re the man Krebs. Keep up the great reporting.

    1. diplo

      agreed.. Senor Krebs is the man next to the Man.
      85% fake profiles, just like twitter responses, facedump aka metaturd.
      How many other social media websites have fake accounts and are bs

      1. mealy

        I’m not seeing “85% of twitter is fake” except from Elong Musk’s titterbots…

  2. YG

    Still can’t believe the number of real users that site had.. great reporting Brian, appreciate you.

  3. Jim Dewey

    Not that I’m pro nazi, but what the hell does that have to do with anything? I don’t guess you found any evidence of communists being upset with AM? Probably because they are okay with all the perversion. You seem to enjoy working your political angles into this stuff more and more. Can’t say I’m surprised.

    1. BrianKrebs Post author

      Did you actually read the story before commenting, Jim? Not sure how you could come away with the conclusion that this story is somehow “political.”

      1. Anony-mouse

        The funny thing is that people are waving the word “political” around like a weapon because the USA is so polarised. They blindly rage without making any distinctions.
        It is entirely possible for a hack to be politically motivated and a reporter like you to simply report what their investigation found. The article would be about the hack and why the hack happened NOT about driving a political agenda. Knee jerk reactions without proper comprehension is pathetic.

        1. mealy

          “Knee jerk reactions without proper comprehension is pathetic.”

          He loads the irony and cocks it, begins to clean the bore…

      2. Foo bar

        The mention of the DailyStormer seemed really out of left-field. You discussed a hack of the database and where it was leaked originally which makes sense. That was followed by seemingly unrelated hot-takes from a far-right site, it implies correlation between the two but rereading the article it’s not at all clear why.

        1. SC

          It’s not clear why? Brian mentioned multiple times that discussion of AM, ALM, and its CEO picked up substantially in both cybercrime spaces and far right–and specifically Neo Nazi–in the months leading up to the hack. That is incredibly relevant, is it not?

          Perhaps you should stop getting your undies in a bunch because Nazis were mentioned in a negative light.

      1. SamD

        Isn’t that a standard disclaimer for Steve Bannon and Alex Jones?

        1. Adult Reader

          Good boy! Fight those Nazis from your mom’s basement

          1. Back to the shadows Q

            Incels, white chauvinists, and grown men living in their mom’s basement… are the ones most likely to be Trump supporters.
            Fighting Nazis should be done first online to stop the spread of hate speech and to prevent them from recruiting other young people. Shove them back into the shadows, back into the shameful corners of society, before they get too big and start goosestepping in the public square like they did in Charlottesville and the at the Capitol.

      2. mealy

        Definitely an important thing to preface everything you say with, if you’re NOT a nazi.
        xD

      3. no more q

        Jim Dewey has already shown he’s a Qanon believer on a previous article. Nazi sympathizer isn’t a stretch.

    2. John H

      Imagine getting upset on behalf of nazis and then complaining someone else is being political. You sir, are the one being political here kek.

    3. SC

      Why is it that any time nazis, fascists, or white supremacists mentioned “totally not nazi” folks pop up with “what about the communists/antifa???”

      It’s remarkable how you all don’t speak up about “making things political” by popping up in Breitbart and comments about BLM with “yeah but what about Atomwaffen?”

      If Brian was investigating a hack of a site and noted that a bunch of leftists had suddenly started discussing it a few months ago, would you be in here asking why he isn’t focusing on Nazis?

      1. Jim Dewey

        I guess we’ll never know because Brian only mentions right wingers as antagonists in his articles. You sympathizers always step up to the plate for him like an army of bots. The old saw is true. Birds of a feather stick together.
        Me? I’m just here to remind you not everyone is as naïve as you are. Have a nice day…

        1. Go away white supremacists

          Must be hard to type with one hand while the other is either doing a Nazi salute, or giving your dear leader a reach around.

    4. Dick Curtis

      Nazi involvement is relevant because back in WWII they murdered six million Jews and the CEO of Ashley Madison was Jewish. Correlation does not equal causation but the fact the politics have lined up in opposition before is part of the conversation.

  4. jdmurray

    What other “crooked companies” did Impact Team exact vengeance on for their “broken privacy promises?” My public email addresses was used by ALM to create a fake account; I never received any restitution from Impact Team.

  5. an_n

    “researchers found 84 percent of the profiles were male.” That low?

  6. KDpunshon

    LOL – I was thinking the same thing – only 84% were males! “….fewer than one percent of the female profiles on Ashley Madison had been used on a regular basis, and the rest were used just once — on the day they were created..” Sounds like this ALM company was taking the proverbial piss out of men’s desires for sex to make alot of money. Cannot say my heart goes out to any of them.

  7. anon

    Well….

    It is a bit perplexing as to the identity of the Impact Team, when some many other groups have been tipped off and/or their members have been identified.

    Somebody had a grudge, and in the end that could have been anyone from any particular nation. And there is no reason not to also consider this was a nation-state actor pulling this off as well. (Russian, Ukrainian, China, Iran, Israel, or the Five Eyes).

    There was no financial gain, other than putting someone else of having a financial gain. And who knows what else? Ashley Madison for all we know was also into espionage and blackmail, besides the adultery overtones.

    1. anon_xx

      “.. nation state actor…” 🙂
      If interested whodunit, just check this (Brian’s) blog.
      Optionally, see comments on: ‘site:schneier.com squid found on sandbar’

  8. luciuscornelius

    > a bunch of Nazis upset about a successful Jewish CEO promoting adultery.
    Poor successful CEO targeted by those mean Nazis! That sleazeball deserves no sympathy. Imagine making money off breaking people’s marriages. Who would come up with such an idea?

    1. Catwhisperer

      Corporate America would with glee. Have you ever read “Bold Capital” by T. J. Dunning? Here is the pertinent excerpt (discussing profit):
      “…; 100 per cent. will make it ready to trample on all human laws; 300 per cent., and there is not a crime at which it will scruple, nor a risk it will not run, even to the chance of its owner being hanged. If turbulence and strife will bring a profit, it will freely encourage both. Smuggling and the slave-trade have amply proved all that is here stated.”

    2. mealy

      ” Imagine making money off breaking people’s marriages. Who would come up with such an idea?”

      Imagine you having an opinion without understanding marriage, divorce, court, litigation, any of it?
      What you think they work for free? Are you from a communist country or just unburdened by reality?

    3. Dave J.

      So you could have left out the “mean Nazis” part and I may have agreed with you. But when you preface it that way it kinda feels like you might be pro-Nazi. SMH

      1. NotDave

        No need to virtue signal here, Dave. This isn’t reddit.

  9. Catwhisperer

    Ah, the good old days. It’s been a while since I thought of Ashley or Seeking Arrangement. The moral of this story is always beware that engineer whom you shafted that also has your passwords, LOL…

    1. an_n

      Why are you perpetuating that everyone does as if it’s true?

  10. Bob Brown

    I still wonder whether the Ashley Madison and OPM hacks were related. Imagine a list of adulterers with security clearances. Even if they’re not related, whoever has the OPM data could match it with the leaked Ashley Madison data.

  11. Dennis

    Maybe in this case, not justifying a Hack, the results might be good ones. I mean : lessons learned guys, all those female profiles are mutually fake and you are surrounded by a group of men. I‘m really wondering about the amount of puppets / fake profiles around Twitter…

  12. K A

    A bit on a tangent… but when companies/websites give you the option to delete/remove history, etc. – I’ve always wondered just how complete these “deletions” really are. Like when I “delete” my Google search/web/etc. history — is the info truly removed from all Google data centers – or just hidden from my view??

  13. Dave Horsfall

    Any sentence that starts with “l’m not pro-N*zi” is right up there with “Some of my best friends are Jews”.

    1. mealy

      Maybe people criticizing a genocidal fascist hellscape are the “real” bigots?
      Maybe they just liked trains that run on time, leather boots and funny walks?
      Thought experiment, maybe Hitler was just really, really ironic yet inarticulate?
      I mean, were any of us there? Let’s try to keep an open mind about fascism.
      Everyone’s so quick to jump to “Earth is round” conclusions about things… jeez.

      1. GoBackToTwitterMealy

        Ha! So funny and original, mealy.

  14. Thorvald

    “Trusted Security Award.” “SSL Secure Site.” “100% Discreet Service.” LOL

  15. Philip

    Brian’s retrospective was great and prompted me to see if Ashley Madison is still around.

    Apparently it is alive, although they go to great pains to say that they’ve dealt with the bot problem. Their explanation is carefully worded, especially since they created the bots / dummy accounts in the first place.

    Digging deeper, it seems that their business model is largely based on monetizing internal message traffic between members. Effectively you pay to have a conversation with someone, whether it leads anywhere or not. In some ways, it’s in the provider’s best interest that someone does not consummate the deal (so to speak), and continues messaging members for an extended period.

    I make no moral judgements about these users, but on these kind of sites, there really is leap of faith that the provider has very good security protections in place. This isn’t Equifax, so why someone would sign up or continue to give them their business is beyond me.

  16. Dave Horsfall

    Well, if they were reputable then they will have backups of course (going way back), and if they were really reputable then they would not use them for nefarious purposes. The question is: given Google’s past, would you trust them?

    BTW, Google is not the only search engine on the planet (I use DuckDuckGo, as do my colleagues; no, we have no connection with them apart from a common interest in privacy).

    1. JamminJ

      DuckDuckGo was criticized in May 2022 when researchers discovered that some Microsoft tracking scripts were found while using DuckDuckGo’s browsers. The presence of Microsoft trackers seems to fly in the face of the search engine’s privacy promise, and DuckDuckGo’s founder and CEO clarified on Reddit that the company is “currently contractually restricted by Microsoft” from stopping Microsoft scripts from completely loading because the company uses Microsoft’s Bing to power its search results.

      Don’t trust Google? You trust Microsoft? And their affiliates?
      Internet Search Engines are free for users… which means we are the product they sell to others.

      1. an_n

        That’s night and day different : DDG isn’t selling the data. MS and Goog do so. DDG isn’t profiting from it.
        DDG doesn’t remove all internet tracking possible but it’s still better for it, and coupled with adblocking addons you can strip any residual trackers out. Equivocating MS and Google with DDG is not realistic.

        1. JamminJ

          Agreed. They aren’t equivalent. DDG is still far better than Bing, Google and others.
          And yes, people should absolutely overlap privacy protections with browser addons from other reputable sources. The EFF recommends a few. Just didn’t want people thinking just using DDG is an easy solution to all privacy concerns.

      2. Dave Horsfall

        Of course I don’t trust M$ any more than I trust Google (there are many alternatives to both); my favourite OS is ABW i.e. “Anything But Windoze” (I’m currently using MacOS, FreeBSD, and Linux). Wasn’t aware of the DDG issue, but see previous statement. I also run adblockers which are quite effective, and whenever I encounter a site that insists I disable them then I go elsewhere or forget about it. I also watch ad-free (and free-to-air) TV.

        Yes, I suppose you could call me an anti-commerce hippie…

  17. Mike

    So let’s see: of the AM userbase, there were some ~84% male profiles, 15% fake female profiles, and maybe 1% or less real female profiles. So the “men” who signed up for affairs were really just joining a virtual sausage fest?

    I have no sympathy for the cheaters who signed up for this site and had their personal information leaked to the web.

  18. Elizabeth Ruth

    I never thought I could get scammed of my Bitcoin , I never new these investments were fake . I never knew I was getting lured into loosing my money , I was depressed and in anger but all thanks to Adam Wilson for the help and professional service offered to me in my time of need . Thanks to Kate for sending me this contact. Adamwilson. trading at consultant dot com
    helped me recover my lost funds from Bitcoin investment . I couldn’t believe it .

  19. Sebastian

    why u have js from gstatic.com? (bots?)

    finally, its romance scam at its best for best agers.

Comments are closed.