In a move that is best described as a token gesture of apology, Avid Life Media is now allowing Ashley Madison users to “full delete” their data for free, waiving the usual £15/$20 fee.
Unfortunately, deleting your data from the Ashley Madison database now won’t help you if the Impact Team had already obtained your details during yesterday’s breach. Avid Life Media still isn’t commenting on the extent of the hack, and the hackers haven’t yet released any more of their purported cache of data.
Update, July 21 (06:18 EST): Avid Life Media, after an understandably frantic day yesterday, has pushed out a couple of statements that are meant to suggest that the database breach is now under control. As far as we’re aware, the Impact Team hasn’t yet released any more information, despite the fact that Ashley Madison and Established Men are still online.
The first statement from Avid Life Media acknowledged the hack had occurred, and included something of a non-apology to its customers: “We apologize for this unprovoked and criminal intrusion into our customers’ information.” The statement also said that they were working with law enforcement to find the perpetrators of this “act of cyber-terrorism.” (Their words, not mine.)
The second statement, from later in the day, said that Avid Life Media had been able to “secure our sites, and close the unauthorized access points.” Furthermore, the company said it used the DMCA to “successfully remove the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online.”
In addition, Avid Life Media stated that the “full delete” feature does fully expunge user data from the database, contrary to the claims of the Impact Team. Obviously we can’t confirm this.
Avid Life Media’s statements aren’t wholly satisfying. We have asked them numerous times to confirm the extent of the breach—did the hackers actually download all 37 million user profiles?—but they refuse to answer. Instead, this is what the PR agency gave us: “[Avid Life Media] would like to point out that they aren’t hiding from the press, but all their resources are currently being directed at the investigation.”
Ashley Madison, an online dating website that specifically targets people looking to have an affair, has been hacked by a group that calls itself Impact Team. A cache of data has been released by the Impact Team, including user profiles, company financial records, and “other proprietary information.” The company’s CEO, Noel Bilderman, confirmed with KrebsOnSecurity that they had been hacked, but did not speak about the extent of the breach.
The Impact Team claims to have a “complete set of profiles” from the Ashley Madison user database, though so far it appears to only have released a small number of them. The hackers seem to have taken umbrage at both the concept of the site—the site’s slogan is “Life is short. Have an affair.”—and also the site’s “full delete” feature. Ashley Madison charges users $19 (£12) to completely erase their profile, but the hackers claim that the users’ details aren’t actually purged from the database. We actually wrote an in-depth piece on “full delete” back in 2014; at the time, we called it “not totally dishonest, but not totally honest either.”
Along with some user profiles, Impact Team also released some internal network maps, employee details and salary information, and company bank account data.
The Impact Team’s demands are pretty simple:
Avid Life Media [the owner of Ashley Madison] has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
Established Men is another dating website owned by Avid Life Media. Instead of facilitating affairs, Established Men is all about connecting “attractive girls with successful and generous benefactors.”
If Avid Life Media doesn’t meet the hackers’ demands, “we’ll release [all of the data] soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
Noel Bilderman, Avid Life Media’s CEO, confirmed that a hack had occurred, but not the extent of the hackers’ access to the company’s various databases and systems. Speaking to KrebsOnSecurity, Bilderman said that the hack was probably an inside job: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
Bilderman didn’t say whether Avid Life Media would go ahead and shut down Ashley Madison and Established Men. Avid Life Media released an official statement on the hack this morning, though it was very thin on details. We’ll update this story if Impact Team makes good on its threat and releases the entire database of 37 million users.
In May this year, Adult Friend Finder was breached, with sensitive data pertaining to 4 million users finding its way onto the Internet. Back in 2013, Cupid Media, which runs a number of online dating websites, was breached by hackers; 42 million plaintext passwords were released as a result.