‘Life is short; have an affair,’ is the tagline of the website, AshleyMadison.com, which facilitates extramarital affairs for cheating spouses. And this cheating site has apparently been hacked by a group calling itself The Impact Team, which is now threatening to release the identity of approximately 37 million registered users.
According to KrebsOnSecurity, The Impact Team now has access to highly sensitive data that it stole from the Toronto, Canada-based company Avid Life Media (ALM), which owns AshleyMadison, along with two other … different dating sites – CougarLife and EstablishedMen.
In a statement given to ALM, the hackers have said that if the firm fails to comply with their demands of shutting down AshleyMadison and EstablishedMen completely, they they would release ‘customer records, secret sexual fantasies, nude pictures, credit card transactions, real names, and addresses as well as employment documents and emails.’
When KrebsOnSecurity reached out to ALM Chief Executive Noel Biderman, he confirmed the hack, and also assured that the company was ‘working diligently and feverishly’ to take down ALM’s intellectual property.
“We’re not denying this happened. Like us or not, this is still a criminal act.”
Apart from leaking snippets of account data from among nearly 40 million registered users across all three sites, the hackers leaked maps of internal company servers, company bank account data, employee network account information, and salary information.
Less than two months ago, the hookup site AdultFriendFinder was the target of hacking, where intruders stole and leaked online user information on millions of accounts.
The Impact Team, the hackers behind the data stealth, has left behind a long manifesto of sorts, for ALM, where it said that it decided to publish the hacked information in response to alleged lies that the company has fed its customers regarding its FULL DELETE service, where the company promises to erase ALL data from their profile information for a fee of $19.
According to the hackers, the advertised ‘full delete’ feature of AshleyMadison which promises ‘removal of site usage history and personally identifiable information from the site,’ is a lie, because the users’ purchase details which includes their real names and addresses aren’t really scrubbed from their databases.
Highlighting this ‘fraudulent’ feature as one of their main concerns, the hackers wrote,
“Full Delete netted ALM $1.7 million in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Further, they demanded,
“Avid Life Media has been instructed to take AshleyMadison and EstablishedMen offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if AshleyMadison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
“Our one apology is to Mark Steele (Director of Security). You did everything you could, but nothing you could have done could have stopped this,” concluded the manifesto.
Suggested read: SeekingArrangement.com makes mutually beneficial arrangements
As of now, it’s not clear how much of the AshleyMadison user account data has been posted online by the hackers. It seems that only a small percentage of AshleyMadison user account data has been published online, with plans to reveal more each day, as long as the said sites remain online and operating.
Meanwhile, ALM CEO Biderman refused to discuss the minutiae of their internal investigation, only referring to it as ‘ongoing and fast-moving.’ However, he did point toward the possibility that this hack may have been the work of someone who, at least at one point in time, had legitimate, inside access to the company’s networks, maybe even a former employee or a contractor.
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
That may be so, but this hack raises several questions – why are the hackers insisting on AshleyMadison and EstablishedMen going offline, which have predominantly male users? Why not CougarLife and other associated sites too? Why did neither Biderman nor any of the high level executives at ALM refute the claims of the hackers that they hadn’t deleted users’ personal details who opted for the Full Delete feature? And the language and tone of the manifesto left by the hackers suggests that the hackers may be of the female persuasion. Is this a revenge game?
Whether or not ALM succeeds in plugging this leak, users most probably have lost faith in its ‘discretion’ and ability to keep their affairs ‘secret.’ I guess, the only thing left for the users whose data has been compromised is to sue the company for damages!