Screenshot by Luke Westaway/CNET
When hackers broke into the dating website for adulterers, AshleyMadison.com, stealing customer lists and corporate secrets, they asked for just one thing: Shut down the website within 30 days, or face total embarrassment.
The site didn’t shut down, and this week the hackers followed through on their threat, releasing alleged customer lists, credit card data, website code and executive’s email files, including those from CEO Noel Biderman.
It used to be that the hacks we heard about in the news involved financial information, stolen identities and espionage. That still happens, but an old hacking trend has been surging to the forefront, threatening to be as devastating as it is revelatory. And these cyberattackers have just one primary goal: vigilante mayhem.
Look beyond Ashley Madison and you’ll find Hacking Team, a company that made surveillance software for law enforcement and government agencies. Cyberattackers in July released troves of data stolen from Hacking Team, purporting to prove the company had sold spyware to repressive regimes throughout the world and then lied about it.
In both cases, the companies and their customers’ lives have been turned upside down, exposed on the Internet by hackers who aren’t rivals or thieves. They aren’t blackmailing them for money either, as far as we know. They just want to see these people suffer.
Cybersecurity experts say we should rethink how we see hackers. People who break into computer systems aren’t just seeking financial gain — they can have any number of motivations, and some people like to wield power just because they can.
“Hacking is a form of power,” said Joshua Corman, an executive at Sonatype, a company that identifies security flaws in code for software developers. As a result, “the motivations for hacking will include all motivations in the human condition.”
The hackers who breached Ashley Madison chose to publicly dump the information they had as part of a seemingly moral crusade against the company and its claim it could protect users’ secrets, Corman noted.
The impact of the released information on Ashley Madison and its parent company, Avid Life Media, is hard to measure this soon. But there are already reverberations: Soon after Gawker reported that controversial family rights advocate Josh Duggar was listed as a paying user in Ashley Madison’s databases, he made a statement acknowledging he had been unfaithful to his wife. He isn’t the only one facing such a reckoning: Security researcher Brian Krebs told a reporter at Mashable.com that frantic users of Ashley Madison had reached out to him trying to learn whether they would be exposed.
“We have explained the fraud, deceit, and stupidity of [Avid Life Media] and their members,” the hackers, calling themselves Impact Team, appeared to write Wednesday. “Now everyone gets to see their data.”
The result is the online equivalent of a flaming car wreck for all of us to rubberneck.
“They really thought this through in terms of the news cycle,” said Alan Kessler, chief executive at Vormetric, a company that protects high-level data for major companies and banks. “This one is going to run for a while.”
The idea of using hacking to wreak havoc isn’t new, though people’s reasons and methods have changed over the decades. In the 1990s, the dangers came in the form of viruslike programs that displayed a marijuana leaf on users’ PCs in a form of protest known as hacktivism.
During the earliest days of Internet message boards, groups of online hecklers sought personal information on other users in order to shame them. Some of these groups specifically sought to get put on lists of banned user accounts, according to journalist Jamie Bartlett’s book on Internet subcultures, “The Dark Net.”
These days it’s more overt and painful. In 2011, a group calling themselves LulzSec breached an FBI affiliate, the US operations of Nintendo, and a handful of other companies and organizations in a period of less than three months.
Instead of selling the sensitive information, they leaked it online and bragged about it on Twitter. The odd behavior fit the group’s name, a combination of “lulz,” the Internet slang for laughing at misery, and security.
Throughout its attacks, the group would release statements justifying its actions. LulzSec said it targeted FBI affiliate InfraGard, for example, because it was “extorting” the government by asking for money to find security flaws.
Many observers are also left to wonder what LulzSec hoped to accomplish by, for example, releasing the Social Security numbers of Arizona’s law enforcement officers.
Attacks like those perpetrated by LulzSec and their peers have been noted, oddly enough, for their lack of technical sophistication. Idan Tendler, a former cyberdefense specialist with the Israeli army who now is chief executive of a network security company, said this was the case with the attack on Ashley Madison.
“Technology-wise, it’s just another example of the same method,” he said. But “the impact is definitely sensational — it’s related to the most important fears of our life.”