Karma’s a bitch. Hackers recently leaked the inbox of Ashley Madison CEO Noel Biderman (pictured above). Turns out Noel and his cronies have done some hacking of their own. The emails reveal that the company’s CTO hacked into a competing dating site back in November 2012. Biderman even asked him to steal emails.
The revelation is buried in what hackers say is 30-gigabytes of Biderman’s emails. One of those emails is from Ashley Madison’s founding CTO, Raja Bhatia, who claims to have hacked Nerve.com’s then-new dating website. Security expert Brian Krebs discovered the exchange—as did Motherboard—and notes that the data comes from the Impact Team, the same hackers that released the first big batch of data last week. Though Bhatia had earlier told him he doubted the dump was real, Krebs confirmed the legitimacy of the hacked data through several sources who found their own personal details in the dump. Now, karma’s catching up with Bhatia, whose condemning exchange with his boss revealed that he hacked his own competitors.
“Nerve’s dating site has a huge security hole,” Bhatia told Biderman. After did “a little digging, Bhatia continued, “They did a poor job of auditing their site. Have access to all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login, fraud risk profile, who they blocked or are blocked from, photo uploads, etc.”
That sounds an awful lot like the Ashley Madison hack, huh! The Impact Team claim to have gained access to pretty much all of the cheating site’s user data. It’s been appearing in the media over the past week, surely ruining some marriages and humiliating some spouses along the way. One notable difference is that Bhatia claimed he could manipulate the user data, too.
“I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.” he told Biderman.
What did Biderman think about this? “Holy moly..I would take the emails...” said the executive. Bhatia refused to steal them, but he did steal some user data. Bhatia also included a link to a Github repository that appears to contain stolen data from a Nerve.com, a page that Motherboard reports is still live. It’s unclear what Ashley Madison’s chiefs did will this data or knowledge of the backdoor into Nerve.com, but it’s inevitably ironic that they’d be victims of a similar hack just two years after their cheeky email thread.
This is only one exchange out of thousands in the trove of emails. Things aren’t going to get any easier for Biderman. An anonymous hacker recently reached out to Gizmodo with a curated dataset with a vast amount of Biderman’s personal information. Some examples of its contents:
Scan of his drivers license
Scan of his auto insurance id card
Scan of a voided check
Scan of his signature
His SIN (Social Insurance Number)
His bank account #’s
His home address
At least 1 of his cc #’s
It’s one thing to tell an employee to steal a competitor’s email. It’s another thing when a hacker steals all your email and private information and puts it on the internet. You can ask Noel Biderman about both of these things. He has intimate knowledge.
[Motherboard, Krebs on Security]
Image via Ashley Madison
Contact the author at adam@gizmodo.com.
Public PGP key
PGP fingerprint: 91CF B387 7B38 148C DDD6 38D2 6CBC 1E46 1DBF 22