Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ashley Madison Security Protocols Violated Canada, Austrialia Privacy Laws (www.cbc.ca)

Posted by BeauHD on from the illegal-activity dept.

The Office of the Privacy Commissioner of Canada said Tuesday that the Canada-based online dating and social networking service Ashely Madison used inadequate privacy and security technology while marketing itself as a discreet and secure way for consenting adults to have affairs. CBC.ca reports: "In a report Tuesday, the privacy watchdog says the Toronto-based company violated numerous privacy laws in Canada and abroad in the era before a massive data breach exposed confidential information from their clients to hackers. The hack stole correspondence, identifying details and even credit card information from millions of the site's users. The resulting scandal cost the company about a quarter of its annual revenues from irate customers who demanded refunds and cancelled their accounts. Working with a similar agency in Australia, the privacy group says the company knew that its security protocols were lacking but didn't do enough to guard against being hacked. The company even adorned its website with the logo of a 'trusted security award' -- a claim the company admits it fabricated." The report found that "poor habits such as inadequate authentication processes and sub-par key and password management practices were rampant at the company" and that "much of the company's efforts to monitor its own security were 'focused on detecting system performance issues and unusual employee requests for decryption of sensitive user data.'" What's more is that Ashley Madison continued to store personal information of its users even after some of which had deleted or deactivated their account(s). These people then had their information included in databases published online after the hack.

29 comments

  1. Icehot1 by Anonymous Coward · · Score: 0

    If it was that bad,, did anyone score? Should sites like that include more details avout how private data is stored

    1. Re:Icehot1 by Anonymous Coward · · Score: 0

      There were some scores, yes, but those were likely the sort of people who didn't need an online site to score to begin with. So basically any real woman, and the most attractive men who happened to win the lottery and live in an area where there was actually a real woman posting from.

      There was at least one report of a woman using it to get laid on demand, although why she needed that site and didn't just post on OkCupid or Tinder, I could not say. So, that means probably about a dozen guys got some poon to be sure.

      Probably a few thousand maybe even tens of thousands got laid, but out of millions of subscribers, a pathetically small percentage.

    2. Re:Icehot1 by Anonymous Coward · · Score: 0

      Yes I'm posting as AC because for obvious reasons. I can say I did "score" on this site pre-breach. It was not easy. It was a tough lesson weeding out the bots. But there were real people on that site believe it or not. And after talking to some women on that site it was like a feeding frenzy on women. I'm guessing the real ratio of men to women was somewhere around 10:1. And yes I was a paying member and my info was part of the data dump released...

  2. so, are they going to find the culprit? by HBI · · Score: 1

    Or just take the easy way out and blame the company?

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    1. Re:so, are they going to find the culprit? by tnk1 · · Score: 1

      I imagine they will try and find the culprit, but there will be little political pressure to keep the case going if it becomes difficult.

    2. Re:so, are they going to find the culprit? by HBI · · Score: 1

      There are lots of people angry at that person(s). I think if they were identified, vigilante justice would be likely.

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
    3. Re:so, are they going to find the culprit? by AHuxley · · Score: 1

      Have Australian Signals Directorate put in a tasking request to the NSA to rewind the internet a bit?

      --
      Domestic spying is now "Benign Information Gathering"
  3. Slashdot, fix your data:text/html;base64 ad spam by LordKronos · · Score: 2, Informative

    This is twice in the last couple days, I've been browsing slashdot comments on my android phone in chrome. Suddenly my browser is redirected to a spammy page with a data:text/html;base64 url. The full URL is below. The spammy website won't let me go back and just keeps me on the page. This shit is unacceptable slashdot. Fix your fucking advertisers.

    Filter error: That's an awful long string of letters there.

    Yeah, it's a long fucking string of letters. You should know. You gave it to me to begin with. OK, since I can't post it, I'll pastebin it

    http://pastebin.com/PVumFUiA

  4. By any other name. by rmdingler · · Score: 2
    tldr: Company fails to uphold implied electronic version of discretion etiquette.

    We could just have one rule, and it would be likely as efficacious as the convoluted, attorney-necessary system we presently operate under.

    A corporate entity that promises something they don't deliver has to forego executive bonuses this year. And maybe next year's, depending on whether or not the beaver sees his shadow.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:By any other name. by Anonymous Coward · · Score: 0

      We didn't promise it, we stated it. And they're not bonuses, they're incentives and merit increases. And although it appeared the beaver saw its shadow, the act of "seeing" is subjective. The beaver hasn't yet commented on whether or not the shadow was seen. If the beaver were to have commented, we might have to question the sanity of a talking beaver, or whether a beaver which talks is a beaver at all.

    2. Re:By any other name. by sjames · · Score: 1

      Bzzt, charter revoked. Thanks for playing.

  5. how are they still an operating business? by ferret4 · · Score: 2

    what does it take to put someone out of business? Isn't there a legal responsibility (in Australia and Canada at least) to shut this business down until they can prove they're no longer being criminally negligent and deceptive?

  6. Re:Slashdot, fix your data:text/html;base64 ad spa by Anonymous Coward · · Score: 2, Informative

    FYI it decodes to the following:

    <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, user-scalable=false, initial-scale=1.0, maximum-scale=1.0"></head><body><div id="ifrm" style="padding:0; margin:0;"><iframe src="https://s3.amazonaws.com/www.aotq4jgqy9n71.info/US/k3j4j324324llll1111.html" style="top:0; left:0; width:100%; height:100%; position: absolute; border:0" scrolling="yes" allowFullScreen="yes"></iframe></div></body></html>

    "www.aotq4jgqy9n71.info" sure sounds like a totally reputable advertiser! Loading the page, it appears to be a scam claiming I won a free iPhone. They're illegally misappropriating a few Facebook trademarks. Answering the survey questions, I can reserve my free new iPhone by clicking a link to:

    http://qswotrk.com/mt/03644364...

    That redirects through a few different servers, ultimately landing me at:

    http://www.onlinelectronicsusa...

    If these ads are really being served by Slashdot, that's pretty fucking shady. As a bonus, I wonder who's hosting these scammers?

    $ host onlinelectronicsusa.com
    onlinelectronicsusa.com has address 104.28.31.128
    onlinelectronicsusa.com has address 104.28.30.128

    Oh, surprise surprise!

    NetRange: 104.16.0.0 - 104.31.255.255
    CIDR: 104.16.0.0/12
    NetName: CLOUDFLARENET

    If CloudFlare would stop providing bulletproof hosting for criminals and spammers, the internet would be a better place. But CloudFlare apparently loves its criminal customers. DDoS purveyors, terrorist websites, malware distributors, CloudFlare seems to welcome them all to its hive of scum and villainy. Maybe it's time to revive the concept of the Usenet Death Penalty and apply it to all traffic to and from CloudFlare. They're the sewer of the internet and should be null routed and de-peered.

    See also: CloudFlare Watch

  7. Where in the world is... by lloy0076 · · Score: 2

    AUSTRIALIA?

    1. Re:Where in the world is... by quenda · · Score: 1

      Austrialia is a small principality between Montenegro and Slovenia, famous for its blue cheese and tax havens.

      Bloody Americans know nothing about geography - tourists show up there wanting to meet Mozart.

    2. Re:Where in the world is... by Anonymous Coward · · Score: 0

      I'm more bothered that they violated Canada.

  8. Deleted flag is not deleted. by Anonymous Coward · · Score: 0

    "continued to store personal information of its users even after some of which had deleted or deactivated their account(s)"

    Standard operating procedure.

  9. headline by Anonymous Coward · · Score: 0

    at least spell Australia correctly....

  10. air jordan pas cher 2016 Femme by chenmeija · · Score: 0

    air jordan pas cher isclaimer de Geoffrey : Nous accueillons aujourd'hui Yassine, passionné de mode (forcément), qui officie d'habitude sur des forums de développement personnel où il mène une croisade pour convaincre les hommes d'investir un minimum sur leur image (il fait lui aussi du coaching en style). Il a découvert la petite échoppe du Black Dandy et la teste pour nous...L'échoppeJ’ai rencontré Black Dandy il y a quelques mois déjà. En repérage dans Le Marais, j'étais passé une première fois devant sa boutique sans m’en rendre compte. C’est le genre de boutiques confidentielles qui font le charme de ce quartier.J'ai donc décidé de retourner sur mes pas et d'y jeter un coup d’il plus soutenu. La boutique est toute petite (15m2).

  11. Who would have thought .... by Anonymous Coward · · Score: 0

    Who would have thought that a company that makes its profit by encouraging people to cheat on their spouse (consequences be damned) could be such bunch of irresponsible scumbags?

  12. IP abuse by Anonymous Coward · · Score: 0

    ... the company admits it fabricated.

    This is more than fraud, claiming to offer good security practices when they don't; it's trademark infringement. Why wasn't this stopped, by the owners if not the police? Considering the number of lawyers dealing with other intellectual property abuses, this is inexcusable.

  13. This is surprising! by No+Longer+an+AC · · Score: 1

    Not that Ashley-Madison may have violated privacy laws and that they had poor security and slapped a bogus 'trusted security award' on their site, but that people seem so surprised that they did.

    I suspect almost everything I see on the internet is a lie, but of course that's not right either. Some things can be trusted, but everything you see has to be evaluated on its own merits. How anyone could look at AM and decide they were trustworthy without the least little twinge of doubt is beyond me.

    I think one of the craziest ideas a marketer ever had was to put up ads with a sexy woman pretending to send you a private message saying she only lives 2 miles away from you and she wants to have sex, right now!

    So.....I'm supposed to believe that some horny woman who has never seen me and knows nothing about me other than I visited some porn site knows exactly where I live and not only that she wants me to come over and do whatever I want with her. Yeah, that sounds legit.

    Goddammit, what if it's true and I'm missing out?

    And where did Ashley-Madison advertise on the web? Porn sites.

    For good or for ill most websites actually think my IP address is about 50 miles away from where I actually live. It really would creep me out if it were so trivial to find the physical address of someone else's IP address.

    1. Re:This is surprising! by Farmer+Tim · · Score: 1

      I think one of the craziest ideas a marketer ever had was to put up ads with a sexy woman pretending to send you a private message saying she only lives 2 miles away from you and she wants to have sex, right now!

      The craziest idea being the ads which are essentially the same except with a fat, ugly granny. And I browse for teen-midget-in-clown-costume-on-donkey action, so I have no idea how the tracking cookies dumped me into such a distasteful marketing list...

      --
      Blank until /. makes another boneheaded UI decision.
  14. This just shows by Anonymous Coward · · Score: 0

    that privacy laws are pretty meaningless on their own at deterring companies (especially companies that don't operate in that country) from doing the wrong thing. About the only way they could be called to account would be for their members to launch a class action against them but given the nature of the website I'm guessing there aren't many who are willing to be named in a class action or put their hand up to launch one.

  15. I was on AM by Anonymous Coward · · Score: 0

    I had a lot of doubts about the actual privacy of the system. I wasn't *that* worried about being caught... it would force my hand in an otherwise bad situation. Part of the reason of being there was frustration at nothing changing...

    I met a woman who was 15 miles away from me, who wanted to have sex and we did have sex. Curly haired blonde woman who's husband wouldn't touch her after the kids. Her friend was over at her place to make sure I wasn't too crazy, but she left before we got down to business. Genuine cougar.

    It was a surreal experience, and from what I gather of what happened to the site, it was a rare experience. We both had our reasons.

    Of course, coming from an AC, you can believe what you want. But people aren't too willing to share these kinds of experiences because... it's a bit embarrassing, but otherwise awesome. It's a small fetish of mine to be with a woman who's been sexually inactive for years and needs good sex and a confidence boost.

    I wasn't caught up in the leak, the leak didn't seem to contain the data of people who were only on during the first few years of the site. I downloaded the leak and even found the information of people I contacted. I did nothing with it, but it's strange to see real names and email addresses.

  16. Re:Slashdot, fix your data:text/html;base64 ad spa by Coren22 · · Score: 1

    I can't say I have ever seen that issue, are you sure your computer isn't compromised?

    I would suggest running http://housecall.trendmicro.co... to see if it finds anything (if you are using Windows at least). The reason to use that is that it bypasses the viruses that have bypassed your installed virus scanner. You could also use other scanners, but that is a good starting point.

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  17. Re:Slashdot, fix your data:text/html;base64 ad spa by LordKronos · · Score: 1

    1) as I said, it was my android phone in chrome. And I'm pretty certain it isn't compromised. If it were, it would be very interesting because it's only happened 3 times, all this week, and only on slashdot. Slashdot accounts for about 1% of my browsing time, so thats either a very huge coincidence, or a very targetted virus.

    I just posted about it again today, with screenshots:
    https://slashdot.org/comments....

  18. Re:Slashdot, fix your data:text/html;base64 ad spa by LordKronos · · Score: 1

    Thanks for doing some digging. I decoded it and saw the amazon URL, but didn't go any deeper, and I certainly don't have any familiarity with cloudflare's shady hosting.

    I just posted again today. Got the same thing popup on slashdot today. I posted screenshots in that post, showing that chrome still thinks the website is on slashdot (must be some symptom of the "data" url that chrome doesn't realize the page has changed)

    https://slashdot.org/comments....