HACK BRIEF: ATTACKERS SPILL USER DATA FROM CHEATING SITE ASHLEY MADISON
WHEN A DATING website’s slogan invites users to “have an affair,” its user database is a blackmailer’s dream. Now hackers have stolen that sensitive personal information from the “cheating” site AshleyMadison.com, and they’re using it not to blackmail the site’s users, but to demand the shutdown of the site itself.
The Hack
On Sunday Avid Life Media, owner of the social network for married people seeking to have affairs known as AshleyMadison.com, admitted in a statement that it had been the target of a serious hacker intrusion. According to KrebsonSecurity, which broke the news, the hackers have published samples of stolen data, which appears to include information on the site’s nearly 40 million users, company financial data such as salary figures, and even maps of the company’s internal network.
“We apologize for this unprovoked and criminal intrusion into our customers’ information,” reads a statement from the company sent to WIRED. “The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
Who’s Affected
At first glance, the breach seems like an almost unprecedented personal privacy disaster: Any of the millions of users of AshleyMadison.com seeking a discreet extramarital affair could potentially have had their identifying data stolen by the hackers. As Krebs reported, the hackers have already published examples of that user data, though it’s not clear precisely what personal information it included. In a followup statement to WIRED from Avid Life Media Monday morning, the company writes that it has used copyright infringement takedown requests to have “all personally identifiable information about our users” deleted from the unnamed websites where it was published. But that’s no guarantee that the hackers won’t publish the data again elsewhere or sell it to others who could use it for fraud or blackmail.
But the real target of the hack doesn’t appear to be Ashley Madison’s users so much as the site itself. According to a statement from the hackers, who call themselves the Impact Team, they seek nothing less than the shutdown of Ashley Madison. They say they’ll continue to leak its information on a daily basis until Avid Life Media shuts down both Ashley Madison and another Avid Life Media site, Established Men.
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” the statement reads, as republished by Krebs. “The other websites may stay online.” The only other site Avid Life Media runs is Cougar Life, which connects older women with younger men.
The hackers’ statement indicates they targeted Avid Life Media not only for the questionable social mores it encourages, but also for what they describe as a dishonest offer from the company to delete users’ information for a $19 fee, when in fact that information was still kept in ALM’s servers. “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers’ statement continues. “Too bad for ALM, you promised secrecy but didn’t deliver.”
How Serious Is This?
It’s hard to decide who ought to be more worried: Ashley Madison’s owners or its users. Both have apparently had their most sensitive data stolen by hackers who seem eager to publish it online. While the company writes in its statement that it’s “been able to secure our sites” in the wake of the breach and has told Krebs that it’s close to identifying the hackers responsible, that’s still offers no consolation to the users who could have their most sensitive secrets dumped by the millions.
The breach highlights the danger of dating and hookup sites that encourage users to share their most private desires and then fail to fully protect that information. In 2012, the Electronic Frontier Foundation published a short study of popular dating sites, pointing out that most fail to even offer HTTPS encryption to prevent eavesdroppers from watching a user’s browsing. And in May, sex site Adult Friend Finder was hacked and more than 3.5 million users’ data published.
With that lack of online dating security now coming to light, users should take note: Maybe the internet isn’t the perfect place to pursue your super secret love affair after all.
No comments:
Post a Comment
Please leave a comment-- or suggestions, particularly of topics and places you'd like to see covered