A team of hackers has unearthed stolen data from AshleyMadison.com, an online dating site targeted at people who are already in relationships. The site’s tagline says it all: “Life is short. Have an affair.”
The data breach, reported Sunday by Krebs on Security, could compromise the 37 million users who frequent the site. Dubbed “The Impact Team,” the hackers claim the data includes credit card details and “sexual fantasies,” along with sensitive intel regarding company servers and employee information.
It appears the hackers were protesting a “full delete” feature that allegedly erases any trace of your history on the site for just $19. In a manifesto accompanying the data dump, they argued that Ashley Madison was duping its users, noting that “purchase details are not removed as promised, and include real name and address.”
The Impact Team wrote that it would put the site’s many customers on blast if parent company Avid Life Media (ALM) didn’t halt operations on both Ashley Madison and sister site Established Men:
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
…Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.
ALM assured users that it had shut down “unauthorized access points” and reinforced security measures in a statement released Monday. The company went on to call the hacking an “act of cyber terrorism” and acknowledged that it was just the latest in a string of recent security breaches:
We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.
We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.
In a statement obtained by The Washington Post, ALM also denied the allegations made by the hackers about its “full delete” option, and announced that it would now offer it for free:
The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.
As our customers’ privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today’s news.
ALM has already singled out potential suspects, according to Krebs on Security–likely former employees or contractors who had some knowledge of internal happenings.