Cheating site Ashley Madison breached by hackers threatening to expose users via @NakedSecurity
Ashley Madison users, you are "cheating dirtbags" in the judgmental eyes of whoever attacked the adulterers' dating site, and, with no sympathy forthcoming from the culprits, your personal details are in danger of being published, if they haven't already.
The attackers claim that the personal, intimate data they've breached includes all customer records: secret sexual fantasies, nude photos, conversations, credit card transactions, real names and addresses, plus the dating site company's employee documents and emails.
Security journalist Brian Krebs broke the story on Sunday, and the company confirmed the breach.
Krebs published an image showing the attackers' lengthy manifesto, which was published alongside data stolen from Avid Life Media (ALM): the Toronto firm that owns Ashley Madison as well as the related hookup sites Cougar Life and Established Men.
The attackers call themselves the Impact Team, and it sounds like unmasking the site's users is merely fallout, given that they're after nothing less than the shutdown of Ashley Madison.
They say they'll keep leaking information on a daily basis until ALM shuts down both Ashley Madison and Established Men.
From the manifesto:
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.
The other websites may stay online.
That means they're leaving alone the ALM site Cougar Life that connects older women with younger men.
In their view, only men use Ashley Madison:
Too bad for those men, they're cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver.
This assumption about gender is incorrect, but the point is moot: a female friend of mine who formerly used Ashley Madison tells me that, being a woman, she never had to pay, and she had the smarts to fictionalize all her user information:
Being a woman, [I] never had to pay so all data was erroneous. ... even separate email, [birthdays]. ... now [partner's name] on the other hand...
According to the Impact Team's manifesto, this is comeuppance for ALM having "promised secrecy" that it didn't deliver.
The attackers accuse ALM of hoodwinking users when it comes to a "full-delete" feature that Ashley Madison sells, promising "removal of site usage history and personally identifiable information from the site."
As Ars Technica reported in August 2014, Ashley Madison was charging £15 (about $20 then and about $23 now) to delete a users' data from its system.
The promise to scrub users' purchase details - including real name and address - was hollow, Impact Team claims:
Full Delete netted ALM $1.7mm in revenue in 2014. It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.
For its part, ALM has published a statement on AshleyMadison.com denying those accusations - the full-delete feature works just as advertised, the company said - and announced that full-delete is now offered free of charge to all members:
Contrary to current media reports, and based on accusations posted online by a cyber criminal, the "paid-delete" option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity. The process involves a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.
As our customers' privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today's news.
It's not clear how much stolen data has been published, though Krebs reports that it looks like a relatively small percentage of user account data.
Nor do we know precisely what details that data included.
Krebs writes that the published samples, at least, appear to include information on the site's 37 million users, company financial data such as salary figures, and even maps of the company's internal network.
On Monday morning, ALM announced that it had already used copyright infringement takedown requests to have "all personally identifiable information about our users" deleted from the unnamed websites where it was published.
That doesn't let users off the hook, unfortunately, given that the thieves can simply repost the stolen data elsewhere.
The Ashley Madison breach comes fast on the heels of a data breach in May of AdultFriendFinder - a similar site promising "discreet" hookups.
In the AdultFriendFinder breach about 3.9 million people had their private data, including personal emails, sexual orientation and whether they were looking to cheat on their partners, exposed on the Dark Web.
In another statement, ALM claimed there was nothing it could have done better to prevent the attack: "no company's online assets are safe from cyber-vandalism," despite having the "latest privacy and security technologies."
Impact Team agreed, apologizing to ALM's security head:
Our one apology is to Mark Steele (Director of Security). You did everything you could, but nothing you could have done could have stopped this.
Salting and hashing
Many questions remain unanswered, including how ALM stored users' passwords: were they properly salted and hashed, for example?
Hashes are the best way to handle passwords because you can create a hash from a password, but you can't recreate a password from a hash.
Properly stored passwords are combined with a set of extra characters, called a salt, and then hashed over and over again, many thousands of times (the salt is unique for each user and prevents any two users with the same password getting the same hash).
An attacker who makes off with a database full of hashes can't decrypt them, instead they have to crack them one by one with brute force and guesswork.
Did ALM store CVVs?
Another unanswered question: was ALM storing credit card security codes - also known as CVVs, CVV2, CID, or CSC - along with account information?
Let's hope not, given that it's a big no-no. Payment card regulations known as PCI-DSS specifically forbid the storage of a card's security code or any "track data" contained in the magnetic strip on the back of a credit card.
Choose a strong, unique password
The attack on Ashley Madison is only the latest example of why it's imperative that we all choose strong, unique passwords - one site, one password.
It's bad enough that Impact Team is forcing users to suffer along with the company it's displeased with.
But once your password is out there it's trivial for crooks to try it on dozens of other popular sites to see if it works on those too.
Don't make it so easy for them.
Instead, cook up a good, unique password for every online account, and do it now.