Hackers calling themselves Impact Team recently published almost 10 GB of data they claim was taken from the adultery website AshleyMadison.com, which boasts the tagline, “Life is short. Have an affair.”
In July, Impact Team claimed to have stolen information on the site’s 37 million users, and threatened to release all customer records if parent company Avid Life Media didn’t take both Ashley Madison and parallel site Established Men offline.
One month after the initial breach was disclosed, Impact Team released the data, along with a message stating, “Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.”
TrustedSec reports that the data dump contains full names, user names, passwords, street addresses, and the last four digits of credit card numbers. According to CSO Online, of the 36 million records leaked, more than 15,000 use a .mil or .gov email address.
Investigative reporter Brian Krebs, who first broke the news of the breach last month, recently spoke with three separate sources who confirmed that their information was in the leaked database.
“I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal,” Krebs wrote.
In a statement, Avid Life Media said, “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society.”
“We know that there are people out there who know one or more of these individuals, and we invite them to come forward,” the company added. “While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster.”
Mike Hamilton, vice president of products at Ziften, told eSecurity Planet by email that the sheer size of the data dump suggests that the attackers remained undetected within Ashley Madison’s network for a long time. “This has become all too common in data breaches today as hackers fly under-the-radar stealing information,” he said.
“The fact of the matter is that breaches are going to continue to happen; no blocking technique has proven 100 percent against stopping threats,” Hamilton added. “But what IS in the hands of organizations is the ability to rapidly detect and respond to these attacks, limiting the loss of data and damage to the company, its reputation, and its customers that can potentially occur.”
And James Maude, senior security engineer at Avecto, said the stolen data could have a far greater impact than simple embarrassment for those exposed. “If a hacker, terrorist or foreign state has access to both the Ashley Madison breach and the Office of Personal Management breach, for example, it would be trivial to cross reference the two,” he said. “This would provide a list of security cleared individuals at all levels of government who could potentially be blackmailed, coerced or manipulated.”
A recent eSecurity Planet offered advice on improving database security.