Ashley Madison, an extramarital affairs dating website that carries the registered trademark, “Life is short. Have an affair”, is the world’s leading married dating service for discreet encounters and was the primary target of a cyber security breach that is believed to have occurred on July 11, 2015. The company did not acknowledge it until July 20, 2015. Avid Life Media (ALM) the parent company for Ashley Madison also operates other like-minded dating sites known as Established Men and Cougar Life.
On July 20, 2015 Avid Life Media (ALM) published a statement on its Ashley Madison.com website acknowledging that there had been “an attempt by an unauthorized party to gain access to our systems.” According to various cyber security experts, the ALM press release understated the severity of the situation. As information on the breach began to be reported on and who was behind it, the extensive nature of the breach became clear; it was real, it was massive and came with far reaching ramifications for the Ashley Madison members whose information had been stolen. Obviously the nature of the Ashley Madison site left its members vulnerable to much more than identity theft.
Cyber security expert Brian Krebs reported on the attack on his website that an entity calling itself “The Impact Team” were the perpetrators of the Ashley Madison hack and that the group claimed to have accessed 37 million Ashley Madison user accounts containing sensitive information which included; first and last names, user names, hashed passwords, credit card data, street addresses, email addresses and telephone numbers as well as 9.6 million transaction records of Ashley Madison users.
According to TrustedSec researcher, Dave Kennedy, who had been researching the data dump and later reported on the validity of the cyber breach on a blog post, “the biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more. This is much more problematic as it’s not just a database dump, this is a full scale compromise of the entire companies [sic] infrastructure including Windows domain and more.”
The hackers seemed to make Ashley Madison the focus of the attack, but did include another sister-company operated by ALM in their rambling statement of responsibility. Avid Life Media Inc. the parent company for Ashley Madison also operates other dating sites known as Established Men and Cougar Life.
The hackers posted a long list of “crimes” allegedly committed by ALM along with the Ashley Madison data dump. Reportedly the hackers, The Impact Team, stated they were publishing the information due to allegations of false advertising ALM committed regarding a service called “full delete” that would erase completely an Ashley Madison member’s profile. The Impact Team claimed that Ashley Madison promised “removal of site usage history and personally identifiable information from the site,” for a fee of $19.00, but said that user’s real names, addresses and purchase details were not actually scrubbed from the Ashley Madison system.
The blackmail manifesto issued by The Impact Team also demanded that Avid Life Media specifically take Ashley Madison and Established Men websites offline permanently in all forms or else they would release the hacked, sensitive information.
The hackers claimed the breach was carried out for ethical reasons, and made good on their threat to ALM after ALM did not take the websites down, making a massive database dump of over 37 million Ashley Madison members sensitive information.
As a result Avid Life Media, Inc. is offering a $500,000 bounty to anyone who can provide information as to the identity of “The Impact Team”.
The following is the statement released by Avid Life Media, Inc. in its entirety:
STATEMENT FROM AVID LIFE MEDIA, INC. JULY 20 – 12:25PM
Jul 20, 2015
We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We apologize for this unprovoked and criminal intrusion into our customers’ information. We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online.
Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.
As our customers’ privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today’s news.
Additional Resources About This Breach: