A hacking group has reportedly carried out its threat to publish user records if Toronto-based Avid Life Media (ALM) did not take down its cheating site Ashley Madison and dating site Established Men.
The group, calling itself The Impact Team, issued the threat in July 2015 when it claimed to have compromised ALM’s user databases, source code repositories, financial records and email system.
About 9.7Gbyte of data, including names, addresses, phone numbers, encrypted passwords and credit card transaction details for around 32 million users has been posted to the dark web using an Onion address accessible only through the Tor browser, according to Wired.
The data also includes PayPal accounts used by Ashley Madison executives, Windows domain credentials for employees, and a large number of internal documents, reports Ars Technica.
ALM said in a statement that it had “now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data”.
Describing the hack as “an act of criminality”, the company said it was co-operating with law enforcement officers to find the hackers.
“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, jury and executioner, seeing fit to impose a personal notion of virtue on all of society,” ALM said. “We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
The data dump was introduced by a notice from the hackers that said “time’s up”. The notice said ALM had “failed” and “lied to” anyone who finds their details in the data.
“Prosecute them and claim damages,” the notice said. “Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
In an initial statement that followed the hacking claim, The Impact Team accused ALM of lying about its service that allows members to erase their profile information for a $19 fee.
The hackers said that while the service promises to remove site use history and personally identifiable information from the site, users’ payment details are not in fact removed.
“Full Delete netted ALM $1.7m in revenue in 2014. It’s also a complete lie,” the hacking group wrote.
ALM claims that Ashley Madison – which has the tagline “Life is short, have an affair” – operates in more than 50 countries and has 37 million users, including more than a million in the UK.
Independent security consultant Graham Cluley said the chances are that many people who are members of the Ashley Madison website will not be happy if the leaked data is genuine.
However, he points out that if someone’s email address appears in the data, it means nothing because Ashley Madison did not verify the email addresses provided by users.
“So, I could have created an account at Ashley Madison with the address of email@example.com, but it wouldn’t have meant that Obama was a user of the site,” Cluley wrote in a blog post.
Even if the leaked database is genuine, he said the credentials stored by Ashley Madison must be considered suspect because of their “shonky” practices.
Keith Poyser, general manager for Europe at security firm Accellion, said the lesson to be learnt is that no business can afford to take cyber security and data protection lightly.
“We have seen breach after breach in the last two years, from Carphone Warehouse to Target and Sony, to name a few,” he said. “This is a cyber arms race with criminal techniques constantly evolving, which means defence against attack must also evolve.”
With the number and severity of breaches increasing every year, Poyser said it is understandable that consumer confidence in data security is sometimes low. “But steps can be taken to win this trust back and reduce the risk of further breaches while protecting reputation and market position,” he said.
Companies cannot afford the reputational loss that breaches cause, said Poyser. “Prevention makes far better sense, which means investment in security at all layers,” he said.
“Most importantly, cyber security must become part of any business culture and it must touch every segment of the work that a business does.”
According to Poyser, many businesses have solid network layer defences, asset layer management and protection, and personnel education on security, but many more still use non-secured, public cloud services or leave their content with inadequate protection.
“Content is the new battleground,” he said. “Cyber crime will only become more sophisticated and while web users will never feel completely safe, the onus is on the gatekeepers of their data to do everything in their power to keep it under lock and key.”