AshleyMadison.com, the infamous online dating site targeting married adults who are looking to have an affair, found itself this morning the subject of a troubling development, and a threat. Hackers operating under the alias of “The Impact Team” posted some sensitive personal information that was stolen from Avid Life Media, AshleyMadison’s parent company.
The Impact Team also released a statement claiming that they had “taken over all systems in [AshleyMadison’s] entire office” and are threatening to “release all customer records, profiles…nude pictures and conversations” unless AshelyMadison and Established Men, another sexually-driven site owned by Avid Life Media, are taken down. In a statement to KrebsOnSecurity, ALM Chief Executive Noel Biderman confirmed that a data breach had occurred.
One of the main reasons that The Impact Team cited for deciding to hack ALM is AshleyMadison’s widely touted Full Delete feature. For $19, AshelyMadison claimed, users could erase all trace that they ever used the adult dating website. The Impact Team is claiming this is a falsehood: while a profile can be totally expunged, credit card transaction data, including full name and billing address, remains in existence.
This latest hack is just one among a recent flurry of security breaches around the Web. In May, another online dating site, Adult Friend Finder, was hacked and customer information was leaked. Dating sites are not the only targets either; it was recently revealed that the United States Office of Personal Management yielded access to the personal records of 21.5 million people in a cyberattack.
As hackers grow ever more emboldened and sophisticated, people need to be incredibly wary of what information they share online, and where they share it, TechZone360 senior editor Peter Bernstein says:
“While people believe that their personal affairs, financial as well as their private activities of any kind, should remain private, what the AshleyMadison hack once again proves is that if you provide information online it is subject to being compromised. No security solution is completely failsafe. In addition, what this also shows is that even if you believe your ‘trusted’ vendor says it adheres your request to delete information you never wish to see publicized, that trust may be misplaced. This is particularly true for transactional information which unlike healthcare, financial service and even retail must meet strict compliance policies and rules. In short, online buyers beware.”
Eric Chiu, president & co-founder of HyTrust also commented on the breach saying, “Data is the new currency and the breach at AshleyMadison shows attackers are not only looking to steal consumer information for profit but also hold companies hostage. Given the extent of the attack, which included user databases, financial records, employee files and other proprietary information as well as the demands of the hackers, the attack most likely happened from the inside. Dating sites have lots of very personal information, including contact information, dates of birth, and sexual preferences. This information can be used to not only steal additional information and ultimately the person's identity, but also embarrass or hold individuals at ransom, especially given that many users would want to keep this information secret from colleagues or spouses. In addition, similar to Snowden and Sony, this is a great example of how organizations can now be held hostage and permanently damaged by the own data that they collect and how important it is to secure sensitive data from insider threats.”