Ashley Madison Users Targeted By Extortionists

At least two people may have killed themselves in acts linked to the release last week of user data linked to extramarital affairs website Ashley Madison, according to Toronto police, who warned of extortion scams and other dangerous effects caused by the breach.

Meanwhile, the site’s parent company, Avid Life Media (ALM), was targeted by a California lawsuit alleging negligence, as it also emerged that ALM executives discussed the hack of a competitor.

Extortion

At a Monday press conference held by Toronto police, ALM said it would offer a C$500,000 (£240,000) reward for help in catching the attacker or attackers known as “Impact Team”, who released stolen data on more than 30 million Ashley Madison users last week.

The site advertises itself as facilitating extramarital affairs, although critics have pointed out that most of those who signed up are unlikely to have actually carried out such affairs, since only a small percentage of users are female, the other female profiles being “fictional”, as acknowledged by ALM.

Having an account associated with the site can nevertheless be damaging, according to Toronto Police acting staff superintendent Bryce Evans, who told the conference that the breach had spurred email-based extortion attempts and at least two unconfirmed suicides.

“Your data was leaked in the recent hacking of Ashley Madison and I now have ALL your information,” reads an extortion email provided by Toronto police. The email goes on to demand payment of about £146 in Bitcoin or the sender will reveal the information to the recipient’s “friends and family… and perhaps even your employers too”.

The email addresses in the cache have also been targeted by private investigative services with marketing emails offering to help users find out what is known about them, according to reports.

The data cache included numerous addresses associated with US and UK government officials and the US military, as well as prominent European and North American businesses.

No ‘fun and games’

Evans called on other hackers to help bring “Impact Team” to justice.

Addressing “Impact Team” directly, he said, “Your actions are illegal and will not be tolerated. This is your wake-up call.”

Police declined to provide details of the unconfirmed suicide reports, which they said were received on Monday morning.

“The reality is … this is not the fun and games that has been portrayed,” Evans said.

The US Department of Homeland Security has joined the investigation, in which the FBI and Canadian federal and provincial police are also assisting, according to police.

Evans said ALM became aware of the breach on the morning of 12 July, when several employees switched on their computers to see the hackers’ initial message accompanied by AC/DC’s “Thunderstruck”. The song is the same played by malware that allegedly penetrated systems used to help run Iran’s nuclear programme in 2012, although Iran officially denied that incident.

The hackers went public with the same message, which demanded that Ashley Madison and another site called Established Men be shut down, on 20 July, and they published the full data cache a month later.

Class-action lawsuits

ALM was targeted by a Canadian class-action lawsuit last week seeking C$760m in damages, and that was joined this week by a suit filed in a California federal court by a “John Doe” seeking unspecified damages for negligence, invasion of privacy and causing emotional distress.

The new suit, which seeks class-action status, claims ALM could have prevented the breach if it had taken “necessary and reasonable precautions to protect its users’ information, by, for example, encrypting the data”. The case is No. 15-cv-06405, filed in the US District Court for the Central District of California.

Competitor hacked

Separately, corporate emails published by the hackers indicate that chief executive Noel Biderman discussed the hack of a rival website with founding chief technology officer Raja Bhatia in 2012, according to a report.

In an email dated 30 November, 2012, Bhatia informed Biderman of a security hole in the software of nerve.com, a competitor at the time, and said he had successfully downloaded “their entire user base”, providing a link to a sample of the database, according to security journalist Brian Krebs.

Bhatia said he had gained control over the site’s administrative functions. “I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc,” he reportedly wrote.

More data to come?

Krebs noted that the email archive includes sensitive documents such as a scan of Biderman’s driver’s licence, copies of personal cheques, bank account numbers, his home address and income statements for the past four years.

He noted that “Impact Team” has not yet released data from ALM’s Established Men, meaning more data may yet be published online.

The emails also reportedly contain a 100-page screenplay Biderman helped write that revolves around a fictionalised version of Ashley Madison.

Marc Morgenstern, named as Biderman’s co-writer on the project, directed a 2012 documentary called “Affairs Across America: The Ashley Madison Story”.

Are you a security pro? Try our quiz!