Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information.
This is according to the KrebsOnSecurity blog, with says the still-unfolding leak could be quite damaging to some 37-million users of the hook-up service, whose slogan is “Life is short. Have an affair”.
The data released by the hacker or hackers — which self-identify as The Impact Team – includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hook-up sites Cougar Life and Established Men.
Contacted by KrebsOnSecurity late Sunday evening, ALM chief executive Noel Biderman confirmed the hack, and says the company was “working diligently and feverishly” to take down ALM’s intellectual property.
Besides snippets of account data apparently sampled at random from among some 40-million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.
In a long manifesto posted alongside the stolen ALM data, The Impact Team says it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19.00 fee.
According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details – including real name and address – aren’t actually scrubbed.
The group further demands: “Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.
ALM released the following statement following the attack: “We were recently made aware of an attempt by an unauthorised party to gain access to our systems. We immediately launched a thorough investigation utilising leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”
“We apologise for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”
“At this time, we have been able to secure our sites, and close the unauthorised access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”
“Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson says.