In an era where personal information is entrusted to seemingly every online business, relying upon their competence to protect your sensitive data in a playing field where the opposition is always one step ahead of the game is not going to end well. To that end, it’s should come as no surprise that customer data was stolen from Ashley Madison, a dating website catered toward adulterers. It bound to happen given the Adult Friend Finder’s hack from earlier.
Panic attacks likely ensued once the dating site revealed that hackers calling themselves the Impact Team swiped the real names, addresses, and credit card info of the site’s entire user base — including those who paid to delete their account information. Owned by the Canadian media conglomerate Avid Life Media (ALM), the site features 37 million users comprising both genders.
Yes, Ashely Madison extorted its customers by charging them a $19 (£12) fee for what it calls a “full delete,” the removal of users’ profile and communication activity. Unfortunately, this did not include the payment information, something the company neglected to mention.
A manifesto left behind by Impact Team reads: “Full Delete netted ALM [Avid Life Media, the parent company] $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
According to the well-known security researcher Brian Krebs, the hackers already uploaded a minute number of names, and vowed to continue until the site is shut down — which is not likely to occur so long as the demand for its service continues. In response, Ashley Madison dropped its $19 removal fee, a futile action at this point.
The manifesto continues with, “Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online.” Such an odd motivation blurs the line between whitehat and blackhat school of thought, as it appears to be aimed at ALM’s deceit and inability to deliver the secrecy which was promised, yet sacrifices the user as collateral.
Another interesting tidbit left behind by Impact Team was an apology to Mark Steele, ALM’s director of security, claiming “You did everything you could, but nothing you could have done could have stopped this.” For this reason, and perhaps some other undisclosed aspect of the investigation, ALM CEO Noel Biderman suspects the incident may have been caused by an inside man such as a former employee or contractor.
Perhaps if Ashley Madison’s user base was smart enough (or less desperate) they would’ve used prepaid visa cards and dummy social media accounts instead of their real accounts.
Source: BBC and Krebsonsecurity
Advertisement
Learn more about Electronic Products Magazine
