shley Madison, a dating service that caters to married people or people in relationships seeking an affair, suffered a major security breach in August 2015. Impact Team – a hacker group – leaked personal details such as names, email addresses, credit card information, and sexual fantasies of about 30 million users of the service. The Ashley Madison hack was a historic data breach.
Learn about the Ashely Madison data leak and the controversies that followed.
How Did the Ashley Madison Hack Happen?
Founded in 2008, Ashley Madison runs a widely popular web service with the unashamed intention of helping married people have extramarital affairs. “Life is short. Have an affair.” is the company’s catchphrase.
In July 2015, hackers threatened to release company data including sensitive customer information. The hackers gave an ultimatum to Avid Life Media, the parent company, to permanently shut down Ashley Madison and Established Men – a sister hook-up site that linked young ladies to older successful men – within 30 days.
The hackers accused ALM of promoting extramarital affairs and prostitution. Impact Team called out the company out for not keeping its promise to delete user data from their website after users paid the required fee of $19. The data included site usage history and personal identifying information.
To drive their point home, the Impact Team published a file containing some of the company’s financial information, including employee salaries and profile details of two customers of the site.
The First Major Leak
On August 18, after the 30-day ultimatum had elapsed and the websites were still running, the hackers posted “Time’s up” on the dark web together with a BitTorrent tracker file cryptographically signed with a PGP key.
The tracker file was actually a compressed 10 GB file that contained usernames, passwords, home and email addresses, height, weight, sexual fantasies, the last four digits of credit card numbers and even GPS coordinates of millions of users as well as passwords for the site’s Windows domain, and PayPal account details of executives of the company.
The Second Major Leak
The second dump was on August 20, two days after the first. This data dump was quite different from the first in that it mostly contained the company’s internal Data, including a 19GB file of ALM’s CEO Noel Biderman’s emails, and Ashley Madison’s website source code.
The Third Major Leak
The Impact Team served a third-round of dumps. The leaked data included a list of government emails used to create user profiles, mailing addresses, IP addresses, the total amount spent on on-site purchases, and signup dates.
Authenticity of Leaked Data
The authenticity of some of the leaked data is still in contention. Accounts were often created without the consent of the real email address owners (sometimes as a prank). The site required the real owner of the account to pay $19 to permanently delete their profile. But they never deleted user data.
Cybersecurity experts noted that just because an email address was in the data leak didn’t mean the legitimate owner created a profile.
For instance, one of the email addresses appeared to have belonged to Tony Blair, a former UK prime minister. However, experts proved that the majority of the leaked data was authentic. Brian Krebs, a popular security expert, confirmed that lots of Ashley Madison account holders agreed.
The Aftermath of the Ashley Madison Hack
Avid Life Media released a statement condemning the hack. They called it an act of criminality. CEO Noel Biderman had to step down from his executive position, an action he claimed to have taken in the best interest of the company.
Subsequently, the company offered rewards for information about the hackers. The Police in Toronto also showed commitment to finding the culprits. The company together with the Canadian Police and US FBI worked to investigate the attack and arrest the perpetrators. A $500,000 bounty was offered for information on the Impact Team but no arrests have been made to date.
Canadian law firms Charney Lawyers and Sutts and Strosberg LLP filed a $567 million class-action lawsuit against ALM. The suit was on behalf of all Canadians citing the 30 million users whose information were published. They included the users who paid Ashley Madison’s permanent-delete fee but did not have their information erased in the suit as well. Ruby Corp (rebranded Avid Media) announced $11.2 million to settle the lawsuit.
Fallout of the Hack
Users with leaked information were targetted after the cyberattack. Josh Duggar, a reality TV star and Christian YouTube Sam Radar were among those that suffered public disgrace.
Numerous search websites popped up that allowed people to search for the emails of their colleagues or spouses. Some individuals and companies blackmailed users. Others received extortion emails requesting for bitcoin.
Customers of the website also suffered great psychological consequences resulting from the hack. Having to deal with an affair publicly hurt the victims as well as their spouses and children. A good number of those affected sank into depression and anxiety. Tragically, two suicides were traced to the hack, one of a pastor and professor at the New Orleans Baptist Theological Seminary.
Security researchers revealed poor security practices in Ashley Madison source code. It had hardcoded security credentials such as database passwords, API secrets, and SSL private keys. The online service also didn’t use email verifications to filter bots and prevent people from opening multiple fake accounts.
The only things they seemed to get right was not storing full credit card numbers on their servers. They made use of Bcrypt, a strong password-hashing function to hash customers passwords rather than leave them in plaintext.
The hack arguably made people more conscious of their data privacy and holding companies accountable.