Advertisement

Ashley Madison hack threatens to expose millions of users

Daniel Cooper
Senior Editor
Updated ·5 min read
0

Ashley Madison, the dating website that purports to connect people looking for an affair, has been the victim of a hack that has exposed the personal data of its 37 million users. Krebs on Security is reporting that the perpetrators are a hacker or hackers going by the name of Impact Team. So far, only a small selection of information has been uploaded, but the group is threatening to post the entire haul unless Ashley Madison and sister site Established Men are shut down for good. CEO Noel Biderman has confirmed that the attack is legitimate and has pledged to take down compromising files as they're found online. Not that it's likely to be much comfort to the people waking up to find their personal details splashed across the internet.

It's believed that the hack was carried out because of a much-derided feature that the company offers called Full Delete. Should a user wish to leave the site, they can pay a $19 fee to have all of their personal data scrubbed from the Madison servers. There's only one catch: according to Impact Team, it's all a lie, and despite making $1.7 million from the service in 2014, the data remains safely preserved.

For his part, Biderman believes that the attack was an inside job and that he is close to confirming the identity of the culprit. Right now, it's thought that the person wasn't an employee, but someone who had "touched" the company's "technical services." That makes sense, since the Impact Team statement offers an apology to Mark Steele, the website's director of security.

At the time of publication, Ashley Madison remains online, but we imagine that we'll be spending the rest of the day updating this piece as new developments occur. Perhaps the company should change its tagline from "life is short, have an affair" to "it's all fun and games until everybody finds out."

Update: As expected, the first of what we expect will be many updates have rolled into our inbox today. The company has issued a second statement saying that, following the hack, the firm "engaged one of the world's top IT security teams to take every possible step towards mitigating the attack." Using DMCA takedowns, this unnamed team of crack lawyers and security experts have "successfully removed all the posts related to this incident." The company is now working with "forensics experts and security professionals" as well as law enforcement officials to investigate the incident.

"Following the earlier unprovoked and criminal intrusion into our system, Avid Life Media immediately engaged one of the world's top IT security teams to take every possible step toward mitigating the attack.

Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the all posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers' information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.

Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available."

Translated to English, this means that all of the excerpts from the Ashley Madison database that were seeded on the internet have now been taken down. Adulterous partners the world over can breathe a short sigh of relief, although we feel compelled to remind you that Impact Team still has a copy of the full database stashed somewhere offline. So, you know, maybe don't cancel that important discussion you were planning to have with your significant other over dinner tonight.

Update 2: Ashley Madison is offering up a second statement to tell the world that the site itself is secure and your personal data has, at least for now, been taken offline. The company will continue to work with law enforcement agencies to bring the alleged perp to justice. In addition, the firm has refuted the accusation that its Full Delete function is a scam, saying that the service does remove all of your personal data from its servers. In light of the current breach, Ashley Madison is offering the clean slate feature to all of its users, for free, to ensure that you don't need to have that awkward conversation.

We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We apologize for this unprovoked and criminal intrusion into our customers' information. We have always had the confidentiality of our customers' information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.

At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber-terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online.

Contrary to current media reports, and based on accusations posted online by a cyber criminal, the "paid-delete" option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity. The process involves a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.

As our customers' privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today's news.

[Image Credit: AFP/Getty Images]