AshleyMadison Confirms Hack, Purges Leaked Info From Internet

AshleyMadison, noted online home of serial adulterers, has confirmed that yes, someone did rummage through its 37 million-strong blackmail database. But the company also denies that it was swindling customers over the ‘paid-delete’ option, and has managed to take down any information leaked thus far.

Advertisement

In a statement issued earlier today, AshleyMadison owners Avid Life Media (ALM) confirmed a “criminal intrusion” into its systems, although it doesn’t comment on the extent of any data loss.

We originally learned about the hack thanks to a post from the hackers themselves, a group dubbed The Impact Team, who posted a sample of information online, along with a manifesto demanding the takedown of AshleyMadison and related site CougarLife. That post quickly vanished, along with the leaked user data. Keeping a secret on the internet — especially one with such salicious details — isn’t normally easy, but ALM seems to have succeeded, using the Digital Millennium Copyright Act to quash any mirrors.

Advertisement

In its slightly-rambling manifesto, The Impact Team claimed that ALM’s paid-delete option, a $19 service that promised the deletion of your personal info from ALM’s servers (which, for the record, sounds like bullshit from the outset), was actually a bunch of crap. According to the hackers, ALM retained credit card and address info even after you’d paid your $19 — but according to ALM, that’s not the case: “Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity.”

Notably, that doesn’t mention the credit-card info used to pay the $19 removal charge — which is what the hackers claimed that ALM was hanging onto in the first place.

In either case, it’s been 24 hours, and AshleyMadison is still very much online.

Sponsored

The full statement is posted below:

We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We apologize for this unprovoked and criminal intrusion into our customers’ information. We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.

At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online.

Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.

As our customers’ privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today’s news.

Hackers Threaten to Expose 37 Million Cheating AshleyMadison Users

AshleyMadison—tagline “Life Is Short. Have An Affair”—is an online site that facilitates cheating among its 37 million users. It’s a service founded on confidentiality and privacy, which now seems to have all of its data in the hands of hackers. They’re demanding the company take down the site, or they’re going to out a lot of adulterers.

Advertisement

The hackers, going by the name “The Impact Team,” posted a small sample of sensitive data (since taken offline) stolen from Avid Life Media, the company that owns AshleyMadison, along with other hookup sites Cougar Life and Established Men. The data was accompanied by a statement, demanding the takedown of AshleyMadison and Established Men. If that doesn’t happen, the hackers are threatening to leak the full details—names, addresses, sexual fantasies—of AshleyMadison’s 37 million users.

Speaking to security blog KrebsOnSecurity, ALM Chief Executive Noel Biderman confirmed the hack, condemned the “criminal act,” and said the company was working hard to have the data taken down.

Impact Team message, via KrebsOnSecurity

Advertisement

The Impact Team’s beef with Avid seems to lie with the Full Delete feature offered by AshleyMadison—a $19 service that allows users of the site to erase their profile, and all accompanying information. According to The Impact Team, that service is a lie—it claims that although profile information is removed, credit card details, including real name and billing address—remain online.

That frames the hackers as the good guys, campaigning against a lying company; of course, a trove of personal information, including credit card details, can be worth serious money to the right people.

It goes without saying that this is about the worst data leak imaginable—not only does it have the usual problems of identity fraud, but if the full list of AshleyMadison’s users hits the internet, that’s a lot of adulterers outed.

Advertisement

Sponsored

[KrebsOnSecurity]


Contact the author at chris@gizmodo.com.

Reply712 replies
Leave a reply