The attacker has threatened to release a ‘complete’ customer database unless the site is shut down
A hacker is posting data from online cheating site Ashley Madison online after apparently gaining access to the company’s internal databases.
Ashley Madison claims to have 37 million users, and the breach also appears to have affected two other dating sites, Cougar Life and Established Men, which owned by the same Toronto-based parent company, Avid Life Media (ALM).
The company said it is “working with law enforcement agencies” to investigate the incident.
“We apologise for this unprovoked and criminal intrusion into our customers’ information,” ALM said in a statement. “The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”
ALM added that it has now “been able to secure our sites, and close the unauthorised access points”, but didn’t offer further details.
The attacker or attacker, who used the name Impact Team, has so far released samples of account data as well as maps of internal company servers, employee network account information, company bank account data and salary details, according to reports.
ALM chief executive Noel Biderman told IT security journalist Brian Krebs, who initially reported the breach late on Sunday, that the company believes the attacker may have been a former contractor at the company.
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman told Krebs.
In a statement accompanying the leaked data, Impact Team includes an “apology… to Mark Steele (Director of Security)”, which may support the theory that a contractor was involved.
The statement accuses ALM of misrepresenting a service called Full Delete, which, for a £15 fee, is advertised as offering “removal of site usage history and personally identifiable information from the site”.
The service may remove profile information, but it does not delete payment data, which includes users’ real names and addresses, according to Impact Team.
“Users almost always pay with (a) credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed,” the group stated.
Further release threatened
According to the statement, Impact Team has demanded Ashley Madison and Established Men be taken offline permanently, “or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails”.
The group said it has a “complete set of profiles in our DB dumps”, which means that “a significant percentage of the population is about to have a very bad day, including many rich and powerful people”.
The breach of Adult FriendFinder in May resulted in the release of users’ email addresses, usernames, dates of birth, postcodes and computer IP addresses, as well as their sexual preferences and whether they are seeking extramarital affairs.
Are you a security pro? Try our quiz!