Slashdot Mirror
Affair Site Hackers Threaten Release of All User Data Unless It Closes
heretic108 writes: According to KrebsOnSecurity, the infamous Ashley Madison affairs hookup website has been hacked by a group calling itself The Impact Team. This group is demanding the immediate and permanent shutdown of Ashley Madison, as well as similar sites Cougar Life and Established Man, owned by the same company: Avid Life Media. If the sites aren't shut down, the hackers are threatening to publicly release personal data for 37 million users. ALM has confirmed that a hack took place, and the hackers posted snippets of account data, as well as bank and salary information from the company itself.
People likely to have an affair will do so with or without a website...
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
when I signed for ashleymadison.com
Life isn't like a box of chocolates. It's more like a jar of jalapenos. What you do today, might burn your ass tomorrow.
I get the feeling most of the profiles are fake anyway to pull in gullible males. Never give in to blackmail.
The first thing that came to mind when I heard of this site is "This is a prime target for a hacking/blackmail scheme." The only surprise here is that it didn't happen sooner.
Taking guns away from the 99% gives the 1% 100% of the power.
depends... are the hackers muslim?
...as revenge porn?
Andy Warhol got it right / Everybody gets the limelight
Andy Warhol got it wrong / Fifteen minutes is too long.
Now I'll get my listing circulated without paying a renewal fee!
Even it seems to be getting the shit pounded out of it.
cache
archive.org's just goes back to the original, the original never worked for me and the rest are taking a long long time to load.
If the hackers are muslim, it's just blackmail because you can't paint all muslims as terrorists.
If the hackers are white, especially white males, then it is lone wolf terrorism and we need to write all white men out of the history books, destroy monuments to any white men, etc. to atone.
One immoral act to shutdown another immoral act
Let's see them try to roll out credit protection here. It better come with a box of chocolates, some roses, and a spa-treatment (or a 6-pack and tickets to your spouses favorite event) because that credit score WILL go in the toilet.
Mod me down, I shall become more off-topic than you could possibly imagine.
we really needed moral superiority complex hackers....there's no hope for humanity...someone is always going to have the need to shove down someone else throat their views.... no matter how 'smart' .... hope the aliens nuke this shithole asap...
"shut down your predatory sites or we will forcibly liberate 37 million victims of either abusive, dead end, loveless, or empty relationships and leave them to reconcile the adult responsibilities of integrity, trust, and honesty while potentially fostering an atmosphere of open discourse on the nature of marriage, divorce, alimony, custody, and child support."
Good people go to bed earlier.
Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”
The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.
Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.
“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”
Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.
The compromise comes less than two months after intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.
In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.
According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Their demands continue:
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”
A snippet of the message left behind by the Impact Team.
It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterized as ongoing and fast-moving. But he did suggest that the incident may have been the work
Help build the anti-software-patent wiki
The majority of us can't even talk to women! Let alone get married and cheat on them.
Full disclosure: I'm not defending this company for what it does.
For those of you who were tired of the old criminal justice system, be careful what you wish for. To these hackers and many other people, the fact that this company is not illegal in the eyes of the old criminal justice system is irrelevant. To these hackers, it is amoral. These hackers have decided unilaterally what morality is, who is guilty, and how punishment will be executed. Publicly destroying people and businesses that somehow offend somebody else is now the new normal. The old system of justice won't protect you anymore because even if the old system catches these hackers, the damage will be done and can't be undone.
I'm not happy this is happening, but I do hope that when things like this happen it makes people think critically about putting their private lives and their means of communication on other peoples servers (i.e. "the cloud").
It's folly to think that 37 million Facebook accounts, with all their private messages and chats, won't be the next.
Help build the anti-software-patent wiki
These hackers are a confusing lot. They make a decision to break laws and do unethical things in the name of morals. Is there a word for this kind of behavior?
Why would anyone using a cheaters' hookup site use their real name?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
To be honest? The act is criminal, but if the affected want sympathy? They can find it in the dictionary between "shit" and "syphilis".
Quo usque tandem abutere, Nimbus, patientia nostra?
Everything is black and white to them, no shades of grey. They don't really understand the more complex levels of human nature and morality and try to fit it into their rather restricted mental box along with the typical teenage arrogance that makes them assume they're right about everything and everyone else is wrong.
Keep the site up and running, and RISK going out of business.
- or -
Go out of business and actually go out of business.
I wonder; what choice is a predatory, opportunistic venture bound to take?
Krebs is overloaded by train-wreck picnickers
Noel Biderman CEO of How Low Can We Go, trading as Avid Media.
Some of his demonstrably patent bullshit about their security.
"We have always had the confidentiality of our customers' information foremost in our minds, and have had stringent security measures in place".
Um, encryption - have you heard of it? And PCI - yeah, right, a bus protocol.
The "security" fail company - they would have done better employing CyCura® the "binary ex-situ bioremediation system".
I'm guessing they got confused and deployed this Cycura instead. Which'd explain why alarms didn't go off until after the successful attack. When their teeth started grinding.
Candidate for sociopath of the year award, Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. "I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,".
Continue? Fail. To continue you need to start somewhere.
Secure? Fail.
Makes me wonder if he faked his widely promoted cracking of the Cicada.
This is the most interesting bit
Anyone else see similarities and strangely missing information?
His story.
He certainly he fucked up big time "protecting" his client, and he shouldn't have (because he does seem to have the ability to know how to secure a system).
Curiouser and curiouser. But not so curious I want to follow that rabbit down a hole.
Yeah, but would you pay to get a delete from a criminal organization when the supposedly legit operation failed to do so? It is true that some of these criminal organizations have been known to have good "customer service" since their business model relies on someone actually trusting them to do what they say they are going to do, but it's still a huge gamble.
If I were one of those folks, I'd start rehearsing how I'd break it to my wife. That and/or start looking into divorce lawyers. Not doing anything and praying, ironically, might be your only other option.
I suspect 30+ million were 'just curious' after seeing AM's adds on TV. Hard to explain to the spouse, though.
If you post it, they will read.
Even if the bad guys are arrested today and the blackmail threat is gone, they will either be shut down from customer lawsuits or their customers will abandon them in droves, leading to bankruptcy.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It was a spouse which found out their wife/husband cheated on them using such web site and decided to go vigilante and make life a living hell for other cheaters.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Comment removed based on user account deletion
I was only going there to buy snack cakes!
They just had 74 million prospective clients show up on their doorstep.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
https://en.wikipedia.org/wiki/...
"If any question why we died, Tell them because our fathers lied."
Please release the data! I'm getting my popcorn ready to see the sparks fly, and who's getting divorced, or dropping out of the presidential race.
Just another day in Paradise
It's interesting from an employment perspective -- as more and more companies outsource everything, they have less control over who sees their data, and potentially have more people with axes to grind, or who could just make a quick buck more easily than an insider could. So the question is, if this blackmail thing becomes a trend, will companies stop completely trusting their contractors?
I made a similar comment about the OPM hack, someone replied to my comment, "you have been reading too much science fiction." Though it still sounds reasonable that outsourcing reduces direct costs but they also give up control. Getting back to original story, if the hack was an inside job then it doesn't matter what security measures are put in place.
mfwright@batnet.com
What is a marriage for? What are the legal and social issues surrounding it?
In ye olde days a marriage was a contract, essentially, to provide for a family whilst raising children. Someone's gonna be out of work doing daycare duty, and that person is going to be at risk without a career. A marriage is essentially buying them out of the employment pool and the responsibility of working so that attention can be paid to raising a family.
In really olde days there was even a transfer of wealth in order to buy the child-bearing abilities of girls. They'd literally trade them for goats and cows. Y'know what, that sounds horrendous but it all worked out and we're all here.
Fast-forward to today. The modern woman has a lot of choices to make. One of those is the option to remain child-free. If a marriage isn't about raising children anymore then what's it about? A promise of fidelity? (for some arbitrary definition of fidelity). A promise to cook dinner on Friday night? A promise to talk about what's happening on TV? What are the core concepts of a marriage?
And before judging everyone unilaterally you might consider that some people on that website have spouses that *know* they're on that website. What's more they might have talked about it and they might both be "totally okay with it". Judging people by our own standards can be dangerous, as this hack shows. All these people are going to get painted with a really bad and really large brush no matter what the truth is now. The response proves they'll get no trial in the social justice system.
Hmm... Woman falls in between wolverine and wombat. No, I have no idea where I was going with that. Just an observation as you made me think about it with your sympathy remark.
"So long and thanks for all the fish."
It will become more powerful than you can imagine...
Please do not read this sig. Thank you.
SELECT * FROM ashleymadison WHERE match(email, ".gov")
Really, though, it would be useful to remind lots of anti-privacy Feds that encryption is important for lots of things, including protecting civil liberties and keeping them from getting into trouble with their spouses and potentially losing their jobs.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
> You mean 1.44 billion?
I mean, getting 37 million would only require access to a quarter of a percent of Facebook's data, so a hack on this scale shouldn't be hard to imagine.
Help build the anti-software-patent wiki
> Facebook doesn't have [...] verifiable identities and proof of cheating
I think you'll find it has both.
If an account has been posting photos of your personal life and having chats with your spouse, your family and your friends, do you really think anyone needs more verification that it's your accounts? Even if the account is under your nickname, everyone who knows you through that account knows that you are you.
And if you're cheating and you met this person via Facebook, or communicated with them via Facebook then just try denying it when your spouse sees the chat logs.
Help build the anti-software-patent wiki
The best that any company can do is reduce things down to a real name and transaction number, which could then be cross referenced (perhaps externally) to find payment data. Deleting "all" data would be a breach in law, as you are required to maintain financial records for at least 7 years. There is no restriction for credit card purchases, compliance testing just ensures that you are not keeping Card data and PII data like PIN numbers and SSN.
Sneaker-net is the only answer here, and it's difficult to maintain feasibility on a web site to begin with. And we all know what happens when people need bonus checks and higher profit margins. Why do you think we have all those articles on the risks to our power plants and water treatment facilities? When the Government with the biggest budget in world history won't pay a few bucks for it.. well why would you expect any different behavior from others?
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
> This is \.
This is backslash dot?
Perhaps so; but We, the Righteous, will hack them all and show our moral superiority!
They deserve it anyways, for not doing sufficient penetration testing.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
If you were STUPID enough, to give a "cheaters" website your REAL name, REAL address, REAL bank information, REAL personal information, then you deserve to be hacked and exposed as the lying cheating SOB that you really are, regardless if you are a man or woman, or other.
I'd be very interested in seeing which member profiles are conspicuously absent from the leak.
Ignoring the moral implications of cheating, I think the fact Ashleymadison.com charged an extra fee for the 'full delete' feature, which did nothing, is the real problem here.
Well, also the fact people actually trusted Ashleymadison to honour something they couldn't possibly verify :D
This, of course, makes good food for thought when other sites promise to treat your private data carefully. And even moreso if they charge you for that privilege.
Always read at -1, don't let others decide what you should and should not read.
The Puritanism is strong in this thread.
To have a right to do a thing is not at all the same as to be right in doing it
Probably a result of ashleymadison going after lowest bidder contracts when trying to get their security sorted. You get what you pay for.
What I found most interesting was the similarity between the correspondence Joel Erickssonn of Cycura says he had with the "people" (person?) behind Cicada 3301 and the nature and wording of the "attackers" demands/claim of responsibility for the ashleymadison breach.
And his company (basically just him) is very unlikely to be the lowest bidder, he's also much more of an attacker and cryptographer than a security engineer.
There is no puritanism here, merely a respect for marital trust, and the unwillingness to violate it.
Marriage isn't a mere contract that you can seek out loopholes for, or something you do just so that you can have sex-on-demand. It's a commitment; a sacred trust between two individuals who become as one in spirit. You do this for life, and bind your lives and fortunes together.
Many things are negotiable in this world, even in marriage - but remaining faithful to someone you are married to is not something you can (or should ever) negotiate over. If you haven't the maturity to understand that, then don't get married.
Quo usque tandem abutere, Nimbus, patientia nostra?
The reasons why folks marry have changed over time, but until recently, the basic principles of it has not (even if people routinely violate said principles.)
Yes, I'm fully aware of "open" marriages - few of them last very long, at least judging from folks in my social circles. Then again, why would they be embarrassed by the revelation of their names on such a website? Are you saying that even a quorum (let alone a majority) of the folks on that site practice such relationships? If so, the revelation of their names shouldn't be a problem (though actively seeking to hook up with folks from non-open marriages is rather questionable). I'm more than willing to wager that the vast majority of the users are keeping up a façade at home while cruising for some strange on the website.
All these people are going to get painted with a really bad and really large brush no matter what the truth is now.
Sleep with dogs, wake up with fleas. There are most likely websites out there for folks in open marriages to meet up and do whatever they please... can't really bring myself to feel sorry for 'em.
Quo usque tandem abutere, Nimbus, patientia nostra?
There are 37 million users on these web sites? 37 MILLION? I assume they operate internationally. Assume also that this represents only a subset of the total cheater population (web-based, non-web-based). Yikes...it would be fascinating to search through the names.
On one hand, I'm against cheating and I expect all adults to be able to take responsibility for their own actions.
On the other hand, I do not feel I have the authority to tell an other person how they should live their lives. If you wanna cheat, go right ahead. I'll think you a piece of shit for it, but I won't stop you.
My only problem is when people get purposefully hurt, or their personhood is violated.
how many people are actually that stupid!
- X/Y -
Off course cheating is immoral. But so is hacking and publishing personal information. Actually that is worse. Cheating is just immoral, but not a crime. Hacking and violation of privacy is immoral AND a crime punishable by law. Besides who says the account info is correct? What is people make accounts using someone elses name? I would asume that if you want to start an affair you won't use your own name and address. People who don't cheat can get in trouble because people use their names on this site.