The Impact Team hacking group targeting cheating site Ashley Madison has released a second set of sensitive data including emails of the CEO of the parent company Avid Life Media (ALM).
On the 19 August 2015, the group carried out its threat to publish user records if ALM did not take down Ashley Madison and dating site Established Men, first publishing 9.7GB and now13GB of data.
The hackers issued the threat in July 2015 when they claimed to have compromised ALM’s user databases, source code repositories, financial records and email system.
The Impact Team has encouraged ALM’s customers, including one million in the UK, to sue the company for failing to keep their data safe.
The group has also accused ALM of lying about its service that claimed to delete members’ profile information for a $19 fee. “Full Delete netted ALM $1.7m in revenue in 2014. It’s also a complete lie,” the hacking group said.
The first set of data included personal details and financial transaction histories for around 32 million Ashley Madison members, including UK civil servants, US officials, members of the US armed forces and top executives at European and North American corporations.
The latest set of data was also posted to the dark web using an Onion address accessible only through the Tor browser and includes source code from the website, internal emails and a note to the company’s founder Noel Biderman.
In response to ALM’s statement that the first set of data may not be authentic, the hackers accompanied the second set of data with a note saying: “Hey Noel, you can admit it’s real now.”
One file appears to contain nearly 14GB of data from the Biderman’s email account, but the file is zipped and appears to be damaged, reports the BBC.
Tim Erlin, director of IT security and risk strategy at Tripwire, said that while the target of the attack and breach may be Ashley Madison, there is significant collateral damage with the release of so much personal information.
“The collection of so much data isn’t a simple task. This attack was targeted and persistent,” he said.
Ken Westin, senior security analyst at Tripwire, said the breach and resulting data dump was a personal attack with the goal of retribution.
“The goal was to expose and shame ALM and try to push the company to shut down two of their most profitable properties. The exposure of the users and the site was collateral damage,” he said.
According to Westin, the additional release of information regarding the company and emails reveals just how deeply the breach was.
“This is reminiscent of the Sony breach, which was also personal and the goal was to embarrass and shame the company and executives,” he said.
Other security commentators have noted the exposure of the Ashley Madison’s source code could make the website vulnerable to attackers for as long as it remains operational.