Extra-marital dating site Ashley Madison has been subject of a massive hack, that puts the private information of its users at serious risk of being exposed.
The hackers, known as The Impact Team, have threatened to release information about 37m customers if Ashley Madison’s parent company Avid Life Media fail to shut down Ashley Madison and Established Men.
The attackers claim to have penetrated the private database of the site’s parent company, Avid Life Media (ALM), and say they now have access to information including financial records, salary information and user profiles.
In an online manifesto, the hackers outlined their reasons for the infiltration, saying that their actions were a response the site’s Full Delete system which they believe “is a complete lie”.
Ashley Madison’s “full delete” feature is sold to customers at a $19 fee, and promises to erase all customer information, including payment details.
However the hackers have said the feature does not actually delete user payment details, meaning that their personal information is not deleted as promised.
The hackers wrote: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion.
“Too bad for ALM, you promised secrecy but didn’t deliver … And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people”, they added.
Ashley Madison, whose slogan is “Life is short. Have an affair,” claims to have over 37,565,000 anonymous members currently using the site.
The Impact Team has already released a small amount of the stolen data, and have threatened to release more every day until the sites are taken down.
ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to find out who was responsible for the breach.
The CEO said it might be the fault of someone who had legitimate access to the company’s network for a brief time.
He said: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
Interestingly, the hackers posted leaked documents saying that the company was aware of the possibility of a hack.
One document was a feedback form sent round to ALM employees who were asked: “In what area would you hate to see something go wrong?”.
ALM’s chief technology officer Trevor Stokes said: “Security. I would hate to see our systems hacked and/or the leak of personal information.”
Biderman told KrebsOnSecurity: “We’re not denying this happened. Like us or not, this is still a criminal act.”
This latest hack comes just less than two months after hackers obtained and leaked user information from millions of accounts from the adult hookup site AdultFriendFinder.
UPDATE: Ashley Madison has just released a statement:
We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.
We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.
We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber—terrorism will be held responsible.
Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.