Affair Site Hackers Threaten Release of All User Data Unless It Closes

heretic108 writes: According to KrebsOnSecurity, the infamous Ashley Madison affairs hookup website has been hacked by a group calling itself The Impact Team. This group is demanding the immediate and permanent shutdown of Ashley Madison, as well as similar sites Cougar Life and Established Man, owned by the same company: Avid Life Media. If the sites aren't shut down, the hackers are threatening to publicly release personal data for 37 million users. ALM has confirmed that a hack took place, and the hackers posted snippets of account data, as well as bank and salary information from the company itself.

Here's Google's cache

[waspleg]

Even it seems to be getting the shit pounded out of it.

cache

archive.org's just goes back to the original, the original never worked for me and the rest are taking a long long time to load.

Re:Good thing I used CmdrTaco's info

[vivaoporto]

From The Guardian article (as the krebsonsecurity seems to be slashdotted):

The site, which encourages married users to cheat on their spouses and advertises 37 million members, had its data hacked by a group calling itself the Impact Team. At least two other dating sites, Cougar Life and Established Men, also owned by the same parent group, Avid Life Media, have had their data compromised.

"Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online," the group's statement reads.

The hackers' main point of contention is with the fact that Ashley Madison charges users a fee of 15 pounds to carry out a "full delete" of their information if they decide to leave the site. Although users have the option of permanently hiding their profile free of charge, the company's advertisements claim that the full delete service is the only way to completely remove their information from the servers.

But the hackers say that that claim is âoea complete lieâ.

"Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed," they allege.

Here's the article text (it's slashdotted)

[ciaran2014]

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”

The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.

The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.

In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

A snippet of the message left behind by the Impact Team.

It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterized as ongoing and fast-moving. But he did suggest that the incident may have been the work

Re:Good thing I used CmdrTaco's info

[tibit]

Given that it's rather easy to use a credit card with an assumed name, and also a fake billing address submitted while paying, I really don't see why the people who wanted to stay discreet/anonymous didn't do so.

In case anyone wanted to know how to do it, at least in the U.S. it's rather trivial:

1. Add an authorized user on your credit card account. The name can be fake. You'll get a card for that user.

2. Add a throwaway billing burner phone number on your account. Can be a $5 Tracfone from Walmart. This is optional only if the billing processor demands a phone number.

3. When registering/paying for AM, use the fake authorized user's card, and enter your address with a wrong name of the street. The ZIP and house number must match, the street name doesn't have to. The phone number should be the burner phone.

If the hackers get your data, all they have dirt on is a fictional character. This is 21st century, I thought every guy who knows how to use a bank account and a computer would know this shit?

Re:Go ahead

As a married man, the last thing I'd want in my life would be another woman. I can barely handle the one I have!

That's why -as the joke goes- an engineer should have a wife and a mistress. Both of them will assume you're spending time with the other, and during that time you can go to the lab and get soms work done.

Re:nothing new under the sun

[X0563511]

Heard on NPR this morning that they think it's an inside job, and has all the hallmarks of it being so.

Apparently someone got tired of the all unethical behavior. Something about an account being free to create, but $20 to delete (and then not really being removed, or something like that)

Re: Legal Obligations should make this obvious

[BarbaraHudson]

The site operates from Canada. The law (Personal Information Privacy and Electronic Documents Act, aka PIPEDA) requires that all personal private information be deleted when the purpose for gathering it has passed. ALM web sites were not allowed to keep a copy and then charge money to permanently scrub data on closed accounts. Class action suit, anyone?