Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Pro-Adultery Dating Site HackedAttackers Threaten Data Dump Unless Ashley Madison Shutters
The extramarital-affair online dating website Ashley Madison has been hacked, and the hacking group taking credit has threatened to release full details for the site's subscribers, which reportedly number more than 37 million across 46 countries, unless the service shuts down.
The breach is a reminder that hackers can potentially expose not only the information that people share, but also the identities of those with whom they've shared it.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
A hacking outfit billing itself as "The Impact Team" has threatened to release "all customer information databases, source code repositories, financial records, emails" tied to Ashley Madison. The attackers are demanding that Toronto-based parent company Avid Life Media shut down the dating site, as well as another one of its sites, called Established Men, according to information security blogger Brian Krebs, who broke the news of the hack. The Impact Team also released online a selection of stolen data, which has since been removed, as well as a manifesto.
Avid Life Media has confirmed that it was targeted via a hack attack, in what it now labels as being an act of "cyber-terrorism." The company runs multiple sites, including Ashley Madison - tagline: "Life is short. Have an affair." - which bills itself as a dating service designed for married people, as well as the single people who want to meet them; the Established Men dating site, which promises to connect "young, beautiful women with successful men"; and CougarLife.com, which caters to older, more career-oriented women who seek younger men.
The Impact Team's manifesto threatens to publish, a.k.a. "dox," the stolen data pertaining to customers unless Avid Life Media shuts down Ashley Madison and Established Men, although it issued no such demand for CougarLife, or the company's Swappernet.com or "The Big and the Beautiful" site. "We will release all customer records, profiles with all the customers' secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails," the manifesto reads.
Avid Life Media says in a statement released July 20 that it launched an investigation and brought in outside digital forensic experts after learning of the suspected intrusion. "At this time, we have been able to secure our sites, and close the unauthorized access points," Avid Life Media says. "We are working with law enforcement agencies, which are investigating this criminal act."
But later on July 20, cybersecurity expert Alan Woodward reported that the Ashley Madison website appeared to only be intermittently online, apparently after coming under sustained distributed denial-of-service attacks, although no one immediately claimed credit for any such disruption.
Not a good day for Ashley Madison as site now goes offline - is someone having a go? pic.twitter.com/K3jsWL7JkTï¿½ Alan Woodward (@ProfWoodward) July 20, 2015
The apparent Avid Life Media hack attack comes just two months after a hack attack against a similar hookup site, Adultfriendfinder.com, which bills itself as being a "thriving sex community" (see Dating Website Breach Spills Secrets).
"Companies such as these two, they completely rely on discretion," says Noa Bar-Yosef, a vice president at data exfiltration prevention firm enSilo. "For instance, with my bank, my trust is within my belief that it should secure my financials. If my money is going to be stolen, whether because a banker stole it or it wasn't put in the safe or whatever, I would stop banking there because that's the basis of my relationship with the bank."
London IPO Planned
Avid Life Media had been planning to launch an initial public offering - valuing the company at up to $200 million - later this year in London. Due to Europeans' more liberal attitude toward affairs, "Europe is the only region where we have a real chance of doing an IPO," Christoph Kraemer, the Avid Life Media's head of international relations, told Bloomberg earlier this year. The company reports that its Ashley Madison site saw sales of $115 million in 2014.
Avid Life Media previously aborted a planned $60 million IPO on the Toronto Stock Exchange in 2010.
But those technologies and practices appear to have been insufficient to protect the company's customers from having their personal details swiped.
One outstanding question is whether the hack attack will lead customers or prospective customers to avoid the site, because they no longer trust it. "I believe that somebody who would want to go to that site, that's the basic building block," Bar-Yosef says. "They've built their trust around the discretion. Now the minute that that trust is broken, the question [becomes] ... do they have even a demand now for their existence, because their whole existence was built on that trust."