Ashley Madison Confirms Legitimate Data Was Exposed; Clients And Investigators Scramble
Avid Life Media, the parent company of the Ashley Madison website for married people seeking affairs, confirmed that some legitimate data has appeared on the Internet following last month’s widely-reported hack, according to Reuters.
Hackers posted almost 10 gigabytes worth of data, including member account details, logins and payment transaction details on the dark web, according to Wired.
Emails sent to Noel Biderman, founder and chief executive officer of Avid Life Media, were part of a second, larger data dump, cyber security experts confirmed Thursday, Reuters reported. A message accompanying the release said:
Hey Noel, you can admit it’s real now
a riposte to the company’s initial response to Tuesday’s dump that the data may not be authentic.
On Wednesday, Avid Life Media said no current or past members’ full credit card numbers were compromised. “Any statements to the contrary are false. Avid Life Media has never stored members’ full credit card numbers,” the company stated.
Avid Life Media Investigates Breach
Avid Life Media said it had launched an investigation utilizing security professionals to determine the origin, nature, and scope of this incident.
“We apologize for this unprovoked and criminal intrusion into our customers’ information,” the site said. “The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.
Avid Life Media said it is working with Cycura, a Toronto-based security firm, to determine the origin, nature, and scope of this incident.
Clients, Lawyers And Investigators Scurry
Meanwhile, the disclosure sparked a frenzy as users of the website tried to search for their names and those of partners, according to The Wall Street Journal. Lawyers were searching for evidence for divorce cases. And a British florist offered a discount on “apology flowers.”
Data includes members’ names, addresses and phone numbers, though it’s not clear if members provided legitimate details, according to Wired. The data also includes descriptions of what members were seeking.
Government investigators have warned hacking victims not to comply with hackers’ demands since it will only embolden future attackers.
One problem, however, is “you’re putting your trust in someone who is inherently untrustworthy,” said Andre McGregor, a former special agent with the Federal Bureau of Investigation and currently director of security at Tanium Inc., a San Francisco Bay Area cybersecurity company, speaking with The Wall Street Journal.
Did Avid Life Media Do Enough?
Lisa Sotto, a partner at Hunton & Williams LLP, a Richmond, Va.-based law firm that focuses on privacy and cybersecurity risks, told the Wall Street Journal that Avid Life Media could have done more to reach out to users who were at risk.
“The extortion hack that affected cheating website Ashley Madison has shown society that hackers do not just steal financial information to make money, they can steal secrets and any data that is considered valuable to extort money out of them,” Sotto stated on her company’s website. “things are only going to get worse..[C]ompanies and individuals paying, because they potentially have no choice.”
Dave Kennedy, chief executive at security firm TrustedSec, combed through the files posted online and found documents that he said seemed legitimate on Avid Life Media’s computer systems.
Database Dump Appears Legitimate
“The hackers called ‘Impact Team’ stated that if Ashley Madison didn’t shut down, it would expose the databases and information hacked from the popular online cheating site,” TrustedSec noted in a blog posting. “Today it appears that promise came true and Ashley Madison did not buckle or shut down.”
The database dump appears to be legitimate and contains usernames, passwords, credit card data (last four), street addresses, full names, and much much more. It also contains an extensive amount of internal data which looks like the hackers had maintained access to their environment for a long period of time.
Featured image from Shutterstock.