UPDATE: Hackers have released the data, including names and addresses of the members.
Large dumps of stolen customer data have been posted online by an individual or a group claiming to have entirely compromised the dating website Ashley Madison’s user database. The stolen data includes financial records, membership details, and other information which could potentially put 37 million users’ information at risk.
Renowned security expert Brian Krebs reports that large caches of stolen data have been posted online by an unknown individual or group that claims to have hacked AshleyMadison.com, a popular personals and dating website. The news was first reported by Krebs on his website, KrebsOnSecurity.
Details are scarce at the moment, but the breach is likely to be embarrassing for the company which has nearly 37 million users and their records in their compromised databases.
Yet another database hack
Avid Life Media (ALM), a Toronto-based Canadian firm that owns AshleyMadison and other singles meeting sites, such as Cougar Life and Established Men, is the victim of the cyberattack, with sensitive internal data being stolen by a hacker or a group of hackers calling themselves “the Impact Team.”
The dump included:
- Random account data from over 40 million users across the three websites owned by ALM
- Maps and framework of the company’s internal servers
- Employee account information
- The company’s bank account data
- Salary information of employees
ALM Chief Executive, Noel Biderman, confirmed the hack late Sunday evening and added that the Canadian company is “working diligently and feverishly” to completely take down ALM’s intellectual property revealed in the data dump, in an interview to Krebs. The security researcher confirmed this by adding that many of the Impact Team’s web links via the dump were no longer working, due to the quick efforts of ALM using Digital Forensics, presumably.
“We’re not denying this happened,” ALM CEO Biderman said. “Like us or not, this is still a criminal act.”
The Impact Team posted a manifesto along with the stolen ALM data, claiming that it published the information to expose the alleged lies ALM told its customers about a “full delete” service which completely erases users’ profile information for a one-time fee of $19.
The “full delete” feature by Ashley Madison promises the “removal of site usage history and personally identifiable information from the site.” The hacking group claims that this is not true, claiming user’s details including their real name and physical addresses aren’t completely removed without any trace.
“Full Delete netted ALM $1.7 mil. in revenue in 2014. It’s also a complete lie,” the hacking group wrote in a lengthy manifesto. “Users almost always pay with a credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
The hackers also demand that ALM completely shut down Ashley Madison and Established Men.
CEO Biderman suggested that the hack may be the work of someone with insider access to the company’s networks.
“We’re on the doorstep of [confirming] who we believe is the culprit, and, unfortunately, that may have triggered this mass publication,” Biderman said.
We’ll keep you updated on this developing story.