Ashley Madison: Everything to Know about the Security Leaks

August 25, 2015, Written By Bill Hardekopf

In July, a group calling themselves the Impact Team hacked into Ashley Madison, a dating website that encourages married couples to have affairs. The website is owned by Avid Life Media, which has been in business since 2001.

Apparently, the Impact Team was disgusted by the websites tagline, “life is short, have an affair.” They claim to be hacktivists, and they called the men who would use Ashley Madison, “cheating dirtbags [whom] deserve no such discretion.”

The Impact Team was also offended by the company’s business practices. According to a statement made by the group, one of the practices with which they took issue was the “full delete” feature. Ashley Madison had claimed that they would completely wipe a cheater’s information from their site, if the client paid $19.

The Impact Team claims this service increased the revenue of Avid Life Media by $1.7 million in 2014. However, the team calls the full delete feature, “a complete lie,” because, “users almost always pay with a credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.” Thus, the group claims that Avid Life Media is profiting from a service that does not work.

The Impact Team has threatened to target other companies that make millions of dollars “profiting off pain of others, secrets, and lies.” They may also go after politicians whom they see as corrupt.

How Did The Impact Team Attack?

Joel Eriksson, who is the CTO of Cycura, a company investigating the situation, said, “there is no indication of any software vulnerability being exploited during this incident.” Since there wasn’t a software issue, Avid Life Media believes the attacker may have been a former employee who had access to the company’s networks.

Neil Biderman, CEO of Avid Life Media, believes this fact will help them discover the culprit. In fact, he thinks he already knows who did it and had “their profile right in front of me, all of their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

When Did The Hacks Occur?

The media received the hacked files on August 18. The dates on those files suggest the hackers first extracted information from the servers on July 1, and the last date that they signed in was July 11. Thus, the information leaked was compiled over a ten-day period.

It is likely that hackers were exploring the system before July 1, though. The fact they were able to take a huge amount and variety of information would seem to indicate they had been researching the network long for a long time.

The Impact Team had initially threatened Avid Life Media on July 19. They demanded that ALM take down and, a website that connects women to “rich sugar daddies.” Since the ReadMe file was released on August 18, this shows the Impact Team had given ALM exactly 30 days to disable these two websites.

What Information Was Stolen?

The Impact Team has released names, e-mail addresses, partial credit card numbers, addresses, members’ sexual preferences, and more. While they have released 20 GB of data, they claim to have 300 more, including pictures and messages. They have promised not to release explicit photographs or employee e-mails, but they may release the contact information for “other executives.”

In an August 19 press release, Avid Life Media denies the accusation that any credit card numbers were stolen during this security breach because they do not store the full credit card numbers of current or past subscribers.

More damaging to the company may be the most recent release, which seems to be source code for the website. With this information, it will be nearly impossible for ALM to keep customer’s data secure, and it reveals the company’s intellectual property, which will make it easy for designers to create a similar business.

How Did The Company Succeed And Fail To Protect Users?

Ashley Madison did not store full credit card numbers, which ensured that hackers could not steal financial information from clients. In addition, they hashed client passwords, so these could not be discovered. While this probably means little to the clients who have now had their personal information released to the public, it could have been worse.

However, the company did not do enough to hide customers’ personal information or the credit card transactions. Additionally, Ashley Madison recorded IP addresses and stored these for five years. This made it easy for the press to discover that government employees had been logging in to a cheating website while they were supposed to be working. In fact, a Justice Department trial lawyer, two U.S assistant attorneys, and a hacker working for the Department of Homeland Security have all been identified.

What’s Being Done?

Ashley Madison denies that these hackers are trying to prove a point. Instead, in a recent statement, the CEO declared this “an act of criminality,” and they have promised they are “actively monitoring and investigating” this situation. However, experts have argued this was not just some hackers “having fun.” These analysts claim the Impact Team seems to legitimately hate ALM and wants to completely destroy their business.

ALM is working with independent security experts, the Ontario Provincial and Toronto police services, the Royal Canadian Mounted Police, and the FBI to investigate this matter. They are calling for information from anyone who might know more about this data release.

While Erikkson has assured customers that the company is working to better secure the network, the company is on a time crunch to discover and close other vulnerabilities so other hackers cannot find and exploit these weaknesses.

The information contained within this article was accurate as of August 25, 2015. For up-to-date
information on any of the terms, cards or offers mentioned above, visit the issuer's website.