Hackers have stolen 37 million records for customers of Ashley Madison, the online “dating” website for married people looking to have an affair. The information includes "all the customers' secret sexual fantasies and matching credit card transactions,” the perpetrators said.
That’s a lot of blackmail material.
“The secretive nature of Ashley Madison and its especially intimate customer information means that this breach is particularly worrying to the site’s subscribers,” John Smith, principal solution architect at Veracode, said via email.
The hackers, who call themselves The Impact Team, said they plan to release real names, profiles, nude photos, credit card details and "secret sexual fantasies" unless their demands were met, according to independent researcher Brian Krebs.
Apparently, those demands are motivated by morality. Ashley Madison, which carries the tagline, “Life is short. Have an affair” is only one of a few “niche” offerings from Canada-based Avid Media. It also runs sugar-daddy site Established Men, and CougarLife, which caters for women looking for "a young stud” and younger men who would like to play that part. The hackers apparently have no issue with the latter…but said that they also want Established Men shut down.
It’s unlikely that the site will bow to the demands easily. Cheating is big business, and Ashley Madison has been prepping for an IPO with an eye to raising $200 million on the London Stock Exchange.
"Shutting down AM (Ashley Madison) and EM (Established Men) will cost you, but non-compliance will cost you more," the hackers said.
Avid said that the incursion has been stopped and the site secured. It also characterized the attack as “cyber–terrorism,” and lumped itself in with the other companies that have seen data breaches of late, saying that despite “stringent security,” it was not enough, “as other companies have experienced.”
“We apologize for this unprovoked and criminal intrusion into our customers' information,” the company said in a statement. “The current business world has proven to be one in which no company's online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
Smith noted that this is a lackluster take on the situation and signals a lack of responsibility. “Whilst Ashley Madison sold a service to its users which promised secure deletion of their personal data, it seems in reality that it did not completely purge all of that data from all systems,” he said. “As businesses collect and hold personal data they have a duty of care to protect that information against a wide range of threats, whether it is a malicious insider (as may be the case here), an external attacker or accidental release.”
And indeed, these hackers themselves said that users who had paid a fee to Avid Life to have their personal data permanently deleted had been duped—the company had actually retained records, including credit card information.