WASHINGTON, August 19, 2015 – Hackers finally made good on their threat to release details about users of infidelity website Ashley Madison. Sort of.
Last month a hacktivist group calling itself the Impact Team said it hacked into websites owned by Canada’s Avid Life Media (ALM), including Ashley Madison, Cougar Life and Established Men. The group then threatened to release personal data, including names, email addresses, sexual preferences and credit card information.
ALM confirmed the data breach and held its breath.
Now, it seems the Impact Team has had enough. The group released the information to the dark web, after announcing to ALM “Time’s Up.”
All this raises several questions.
What exactly is Ashley Madison? By now most people know Ashley Madison is a site where married people can discreetly hook up for extramarital affairs. The motto of the site is “Life is short….Have an affair” and it seeks to act as a sort of dating platform for those who want to, well, have an affair. The website boasts, “Ashley Madison is the most famous name in infidelity and married dating. Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands sign up every day looking for an affair. With our affair guarantee package we guarantee you will find the perfect affair partner.”
It acts much in the same way as e-Harmony or Match.com, with users signing up to “find their matches.” The existence of the website has caused many to lament the demise of world values, but apparently millions of people disagree. The site claims to have over 40 million users in multiple countries around the world.
Why did Hackers target the site? While press coverage of the hack has focused on the plain old “eww” of the site, the moral issue is only part of what infuriated the Impact Team. The group posted a manifesto on the AM site in July, when it first hacked it, which read:
“We are The Impact Team. We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records, emails … Shutting down AM [Ashley Madison] and EM [Established Men] will cost you, but non-compliance will cost you more: We will release all customer-records, profiles with all the customers’ secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails. Avid Life Media will be liable for fraud and extreme harm to millions of users.
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
However, the group also clarified that the reason it was planning to go public with the data centered on ALM’s data retention practices. Essentially, the Impact Team said ALM lied to users when it promised to delete personal details from the site for $19.
The group wrote: “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Apparently, the group had enough this week and warned on Reddit:
“Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.”
“Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”
Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.
What info did they leak and where is it? The group released the information over the dark web, meaning that you can’t just google search to find out if your spouse or significant other signed up. The information is accessible, but not usually to the casual user.
So, for now, the information is “out there” but probably not on your desktop.
The information the group released includes names, addresses and phone numbers of users. However, as even the Impact Team notes, it is unclear whether that information is accurate. Because the site does not require email verification, a user could pick any email address to adopt as their own and use random numbers for a phone number.
However, the leaks also includes credit card information, which almost certainly include true names and true credit card numbers.
The hackers also released details on user preferences and what they are looking for in a “match.”
Although passwords do not appear to be released, it is probable that the hackers themselves could uncover the passwords, which would allow them to read – and potentially post – all personal correspondence by users.
What does it matter? Here’s where things get a little tricky. On the personal side, as long as the information remains in the dark web, users are likely relatively “safe.” It is unlikely that is going to be the case, though, as some enterprising dark web user almost certainly will end up posting the information where the average user can get it.
Thanks to the fake email possibility, users can always swear to their significant others that they didn’t participate, it was just someone using their email. In the CIA, this is called “plausible deniability.” It is unlikely to save users from at least a few days of painful explaining. And if credit card information matches up to email addresses, users will have a bigger problem.
The bigger picture, however, is about hacking and Internet privacy. If hacktivists can target Ashley Madison, what is next? It raises serious questions about the privacy of personal emails and credit cards. In an age where people use the Internet for, well, everything, the Ashley Madison hack should raise some very serious questions.