When 37 million people share their adulterous fantasies at the notorious dating site AshleyMadison.com, what’s the worst thing that could happen?
It just did.
An unknown team of online criminals claims to have stolen the names, addresses, credit card data, and sexual interests of every Ashley Madison client.
But unlike other cyberhackers, these extortionists, who call themselves the Impact Team, aren’t looking to make money or score political points. They want the parent company, Avid Life Media Inc., to shut down Ashley Madison and another of its sites. If not, they will make all of the customer data public.
A statement released online by the hackers Sunday night included the names and addresses of two Ashley Madison clients, as well as links to several online forums where they had posted large amounts of company data. Avid Life Media contacted these sites, which deleted the data.
“We apologize for this unprovoked and criminal intrusion into our customers’ information,” the Toronto company said Monday in an e-mailed statement. “At this time, we have been able to secure our sites, and close the unauthorized access points.”
The company also said it is working with law enforcement to track down the culprits.
Ashley Madison courts married men and women looking to cheat on their spouses. The site’s motto: “Life is short. Have an affair.” The other site referenced by the hackers, Established Men, caters to rich men who want to meet “ambitious and attractive girls.”
Avid Life Media generated an estimated $115 million in revenue last year, according to Bloomberg News. While American investors have been put off by the company’s salacious services, Avid Life Media is expected to seek $200 million from a stock sale on the London exchange this year. It’s unclear whether the hack will force a change of plans.
The incident is reminiscent of last year’s devastating attack on Sony Corp.’s computer systems in the runup to Sony’s planned release of the movie “The Interview,” a farce about Americans who assassinate the leader of North Korea, Kim Jong Un. Attackers believed to be acting on behalf of the North Korean government raided Sony’s computers and leaked highly embarrassing corporate documents. They then posted messages threatening terrorist attacks against theaters that showed “The Interview.”
Sony canceled its official Christmas Day release of the film at major theater chains. But about 300 independent cinemas did show the movie.
The Ashley Madison attack is a nasty new version of Internet “sextortion,” a crime that’s become all too common. Most sextortionists use deception and technical gimmicks to obtain nude photos of their victims. Then they blackmail the victims by threatening to distribute the pictures over the Internet unless the victims send still more photos.
Last week, former Navy pilot Daniel Chase Harris of Virginia Beach, Va., was sentenced to 50 years in federal prison for running a sextortion scheme.
Other sextortionists are driven by greed. In April, millions of customer records were stolen from the sex site AdultFriendFinder.com by a thief who demanded $100,000 in ransom. Apparently the money wasn’t paid; by late May, information on 3.9 million users was posted online on hacker forums, where it could be used for extortion or identity theft.
The AshleyMadison.com attackers apparently aren’t out for money, and they seem to regard the humiliation of users as collateral damage. Their stated target is the company itself.
But that’s cold comfort to subscribers whose information is in criminals’ hands.
Brian Krebs, an Internet security analyst whose Krebs On Security website revealed the Ashley Madison hack, said there’s nothing to stop the Impact Team from publishing stolen data whenever it chooses. “This thing could break wide open at any time,” Krebs said.
The Impact Team seems especially angry about Ashley Madison’s “full delete” policy, which charges customers $19 for guaranteed erasure of all of their personal data from the site. The hackers claim the service generated $1.7 million in revenue for Avid Life Media last year, but the company didn’t really erase all data.
“Their purchase details are not removed as promised, and include real name and address . . . sexual fantasies and more,” the Impact Team said.
Avid Life Media denied this claim in its e-mail. It also said the full delete service would now be free.
It’s unclear whether Avid Life Media used an encryption system to scramble sensitive data stored on its servers. Encrypted data is useless to criminals because it can’t be read. But time and again, major organizations have failed to take this step, with disastrous consequences. Following the recent breach at the federal Office of Personnel Management, in which thieves got data on at least 22 million Americans, the agency admitted that much of the information in its databases was not encrypted.
Krebs, however, said that Avid Life Media’s chief executive, Noel Biderman, told him the data theft appears to have been an inside job, possibly committed by a contractor with access to the computer network. If so, the criminal could have used a legitimate password to obtain the data, giving him limitless access to unscrambled data files.