What happens when a website whose very existence is anchored in cheating and duplicity gets cheated/hacked, and the hacker came from inside the castle walls?
Well, it doesn’t make anyone feel sorry for the website, but at the same time it makes cyber security professionals feel better that it didn’t come from outside.
Such is the ongoing saga of the massive data breach at Ashley Madison, the website that facilitates marital infidelity. The site was breached in late July, exposing the names, emails, and other personal information of potentially millions of users.
One ironic name turned out by the hackers? The CEO of Avid Life Media, the owner of the Ashley Madison site. Noel Biderman was exposed the last week of August for his email string on the site. He resigned his position the following week but on the way out said the breach was an inside job.
What do the hackers have? They released over 30 gigabytes of customer and company data the third week of August. Among the names was a reality TV star, various government employees who accessed the site from their work computers, and Bidman. Since then there have been two more data dumps.
But to the company, even something more important was dumped — source code for the Ashley Madison website and mobile property. While this isn’t of interest to the public or to journalists, it is to other hackers. They can now study the released code to further subvert the site, and the company’s intellectual property is now, basically, public property.
The hackers, who call themselves The Impact Team, seem to have an issue with Avid Life Media. In an anonymous email interview with the website Motherboard, The Impact Team said they would target “any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians, too.”
Already spammers and cybercriminals have pounced on the Ashley Madison customer data. At first, spammers were exploiting the new pool of email addresses, luring Web surfers to dubious background-check sites.
Then a second wave started using the data to craft extortion emails. The emails threaten to expose users’ participation on Ashley Madison by sending written personal letters to their homes. The extortion demand? Around $450 (two bitcoins).
There is some credence, it appears, to Biderman’s inside job claim. That comes from the absence of any footprints from the hack. Tom Byrnes, CEO of ThreatSTOP said, “The data tracks with an inside job. The data appears to have been dumped by someone who had console-level access to the database server.” He also said that a data dump such as this one has to leave footprints from the exploit tools used.
The Impact Team released an initial manifesto in August that said they had been in Avid Life Media’s servers for years. Here is part of that document:
“We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.”
Thus far, The Impact Team has made three dumps with the Ashley Madison data, but there’s much more where that came from. The Impact Team says it has over 300 GB of employee emails, plus tens of thousands of Ashley Madison user pictures, as well as user email messages.
For Avid Life Media, which had hoped to raise $200 million for an IPO on the London Stock Exchange this fall, it seems the cheating of Ashley Madison came home with a vengeance, and that vengeance, whether inside job or not, was The Impact Team.
How is your company data and your customer data protected? That’s what we do at RegTec — evaluate your situation, your strengths, your weaknesses. Contact us and see how we can do for you.