Leaked emails from adultery dating website Ashley Madison implicate the company in the hacking of the user database of a rival website by the company’s own chief technology officer.
The emails suggest that Ashley Madison CTO Raja Bhatia discovered a security glitch in nerve.com, a magazine website dedicated to relationships, which started up its own adult dating section.
But in an email dated 30 November 2012, Bhatia sent an email to Ashley Madison CEO Noel Biderman suggesting that he had found a way of accessing nerve.com’s entire user database – and could even manipulate user information on the website, according to security specialist Brian Krebs.
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman in an email. Bhatia included a link to a Github archive with a sample of the nerve.com database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc,” he wrote.
It is not clear, though, whether Bhatia was “penetration testing the rival”, for whom Ashley Madison had considered a $20 million takeover offer, or whether the data was downloaded and used in some way.
The emails also indicate a particular focus on security at the company in the months leading up to the revelations, in July, that Ashley Madison’s owner, Avid Life Media, had been hacked.
One member of staff, Mark Steele, wrote in an email to Biderman on 25 May 2015 that the company’s platform was “riddled” with cross-site scripting and cross-site request forgery vulnerabilities “which are relatively easy to find (for a security researcher)… other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging”.
The breach was discovered only on the morning of 12 July 2015, after the hackers had enjoyed access for months, according to the police in Toronto, Canada, today. That was when staff arrived at work to be greeted with a message n their PCs when they logged in from “The Impact Team”, the alleged hackers behind the attack, accompanied by Thunderstuck, by AC/DC.
Belatedly, the company today offered a $500,000 reward for information leading to the arrest and prosecution of the hackers behind the attack – although whether the company will survive long enough to pay out is another matter.
Today, there were reports of suicides as a result of the data release last week from the hackers, while there have also been reports of extortion attempts by people and organisations that have trawled the data-dump email addresses and other identifying information.