There’s trouble brewing for 37 million would-be adulterers Monday after cheating site Ashley Madison (motto: “Life is short. Have an affair”) fell victim to hackers who claim to have captured the personal information of all its users.
According to the blog Krebsonsecurity.com, the group behind the attack, which calls itself “The Impact Team”, has threatened Avid Life Media, the company behind Ashley Madison, to take it down permanently along with its sister site Establishedmen.com. If it doesn’t, the hackers threaten to publish the whole data dump a little at a time, including users’ real names, credit card numbers and sexual fantasies. (Oddly, it seems to have allowed Cougarlife.com, a site for hooking up older women with “young studs”, to carry on unmolested.)
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers said in a manifesto. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our (database) dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the U.S. and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
The threatened release of the information would expose ALM to legal action from users whose privacy it had promised to defend, the hackers claimed.
The hackers said they had acted to punish ALM for ‘lying’ about its ‘full delete’ service, which charges a $19 fee for deleting not only users’ personal details, but also any messages and images sent to other members.
ALM chief executive Noel Biderman confirmed the leak to Krebsonsecurity. Biderman suggested that the incident might be traceable to someone who had had legitimate access to the company’s data in the past.
““We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman told Krebsonsecurity. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
In a statement later, Avid Life said it had engaged one of the world’s top IT security firms to mitigate the attack. It said it had removed the posts relating to the attack, as well as all Personally Identifiable Information about its users that had been published online.
“Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident,” the company said.
The attack, which comes only weeks after a similar breach at the operator of Adulfriendfinder.com, appears to have done for any reasonable chance of ALM conducting the $200 million initial public offering that it had planned in London for later this year.