The Ashley Madison hack: everything you need to know

In 2015, Ashley Madison, adult dating site designed to facilitate discreet, extramarital affairs, reported that its user databases had been leaked, revealing the details of up to 37 million users. An anonymous user filed a class-action lawsuit against the site’s parent company, Avid Life Media, alleging that it had failed to take “necessary and reasonable precautions” to protect its user data. On Friday, the company reached a tentative settlement with potential plaintiffs, to the tune of $11.2 million.

The settlement has to be reviewed by a judge, but if approved, Ruby Corp., formerly known as Avid Life, won’t admit to any wrongdoing, and will compensate individuals who were users of the site at the time of the breach, who “submit valid claims for alleged losses resulting from the data breach and alleged misrepresentations.”

Nearly one year after a security breach resulted in the leak of a massive amount of customer data, Ashley Madison is now being investigated by the US Federal Trade Commission. The company’s new top executives — replacing those who exited after the tumultuous hack — confirmed the inquiry in an interview with Reuters. CEO Rob Segal isn’t exactly sure what the FTC is focusing its probe on, but the leading theory is that it’s tied to the website’s use of “fembots” to artificially balance the male/female ratio. “That’s a part of the ongoing process that we’re going through,” he told Reuters. “It’s with the FTC right now.”

A report commissioned by Ashley Madison parent company Avid Life Media confirmed that the infidelity website impersonated real women with the fembots, which continued to chat up some customers into 2015 — despite claims that the bogus profiles were mostly shut down in 2014.

Over the past week, Ashely Madison says it’s seen “hundreds of thousands” of new sign ups, including almost 87,600 women. That’s surprising for a few reasons, not the least of which being that hackers the other week exposed private information on the site’s existing 37 million users, and you’d expect no one to trust the site after that to properly facilitate discreet affairs. There has also been some talk of Ashley Madison misrepresenting its usage and making it seem like far more women use the site than are actually present, something that it’s clearly seeking to refute with today’s statement.

Of course, when considering the 2.8 million messages sent last week, it’s worth remembering that this could be an anomaly. It isn’t every week that Ashley Madison users are subject to a massive hack that very publicly exposes their presence on the site, and that could have easily driven usage. Likewise, it’s possible that people signing up are doing so out of curiosity or research after the hack — perhaps even to view the profile of someone who they discovered was on it — so there’s a big difference between new signups and active users. Even if Gizmodo’s analysis is off, these figures don’t prove that Ashley Madison is alive and well after the hack, just that it’s still alive.

Noel Biderman, formerly CEO of Ashley Madison parent company Avid Life Media, is stepping down. Avid Life Media released the news in a short statement this morning. “This change is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees,” reads the statement. “We are steadfast in our commitment to our customer base.” Until a new CEO is appointed, Avid Life Media will be run by “the existing senior management team.”

The news comes slightly over a week after hackers posted information from tens of millions of profiles on Ashley Madison, which is aimed at men and women looking for affairs. While damaging in their own right, the leaks indicated bigger problems with the site, particularly that Ashley Madison had charged users for a “full delete” option while keeping their data on file. Internal messages leaked along with the profile data also suggested that Biderman and Avid Life Media’s CTO had considered hacking the competition themselves.

An anonymous Ashley Madison user has filed a potential class action lawsuit against parent company Avid Life Media, alleging that the company failed to take “necessary and reasonable precautions” to prevent hackers from breaching the company’s files and releasing millions of user profiles.

“John Doe,” who filed the suit in a California district court late last week, claims to have signed up for the cheating-focused Ashley Madison dating service in 2012. He’s attempting to file on behalf of any US resident who signed up for the service and had data leaked, accusing Ashley Madison of negligence and inflicting emotional distress among other charges. The suit also includes allegations based on local California laws, including invasion of privacy and violating the state’s rules about customer records.

An internal email conversation from 2012 between Ashley Madison’s CTO Raja Bhatia and Noel Biderman, the CEO of the site’s parent company Avid Life Media, reveals that the duo might have hacked one of their competitors, writes Brian Krebs of Krebs on Security.

“They did a very lousy job building their platform. I got their entire user base,” Bhatia allegedly told Biderman via email. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.” While Biderman seemed eager to take advantage of the security hole, replying “Holy moly..I would take the emails...,” Bhatia did an odd about face, saying he wanted to “be able to look [his] son in the eye one day,” writes Motherboard.

“Today I can confirm that Avid Life Media is offering a $500,000 reward to anyone providing information that leads to the identification, arrest, and prosecution of the person or persons responsible for the leak of the Ashley Madison database,” said Evans, according to the BBC. He called the hack “one of the largest data breaches in the world” and “very unique on its own,” due to its scope and the personal nature of the data.

Avid Life Media later confirmed the news in a statement. “As [Toronto Police Services] indicated at today’s press event, the investigation is progressing in a ‘positive direction,’ but more help is needed from the outside,” wrote a spokesperson. “In the very best interest of our customers, who have been affected by this malicious act, we are firmly committed to fully assisting these law enforcement and investigative authorities, without reserve.”

Online criminals aren’t wasting any time taking advantage of this week’s Ashley Madison data dump. Krebs on Security is reporting on one such scheme, noticed by an email provider in Milwaukee that found the following message being spammed to its subscribers:

The scheme doesn’t seem to be working, since no one has transferred any bitcoin into the associated account, but it’s a reminder of the tangible damage done by the attack. The available database makes it easy to send a mass mailing to all the associated emails — and with tens of millions of names in the mix, there are good odds that at least one of them will take the bait.

When a second cache of data from the Ashley Madison hack was published earlier today, reporters rushed to download and sort through the contents, expecting internal data akin to the leak published earlier this week. But now that The Verge has spent some time looking through the data, it appears to be something significantly more innocuous, primarily detailing the backend operations of Avid Life Media’s various web properties.

The bulk of the data is divided between 10 tgz or “tarball” files, along with a 7z mail archive file named for Avid Life Media CEO Noel Biderman.

The hackers behind this week’s leak of Ashley Madison user data may have released more details, this time about the company itself. Motherboard first reported the new data and an accompanying message, which has been confirmed by The Verge. The torrent and message were posted on the same Quantum Magazine Tor site where the initial dump appeared “Hey Noel, you can admit it’s real now,” says a message signed by the hackers — a reference to parent company Avid Life Media’s CEO Noel Biderman.

The new data includes up to 20GB of files, including a one folder titled “noel.biderman.mail,” which could indicate that this release includes internal company messages. The previous leak primarily contained user profiles, including names, preferences, encrypted passwords, and partial credit card numbers. It appears to cover roughly 36 million users, and while Ashley Madison hasn’t explicitly confirmed it’s real, most investigators have concluded that the data is legitimate.

This week, the adultery-themed dating site Ashley Madison was hit with one of the most damaging and personal breaches we’ve seen, as digital attackers released names, emails, and private profiles for as many as 32 million users worldwide. The group behind the breach said their goal was to destroy Ashley Madison’s parent company, Avid Life Media, and they may well succeed. The company is in for an array of damaging and expensive lawsuits, quite possibly enough to drive it into bankruptcy outright. As Casey Newton said yesterday, this is a new kind of breach with a new kind of damage — and that unique damage is going to lead to some uniquely expensive lawsuits.

“Here, unlike most retail breaches, just the fact that one is exposed as a customer of the site is sensitive, confidential, and potentially damaging information,” says Goodwin Procter partner Brenda Sharton, who chairs the firm’s privacy and data security practice.

Infidelity-focused dating service Ashley Madison is reportedly using copyright notices to lower the profile of documents that were leaked by hackers earlier this week. Motherboard journalist Joseph Cox writes that an employee of Avid Life Media, the company behind Ashley Madison, sent a DMCA takedown notice after Cox posted three tweets containing fragments of the leaked material. The notice, according to Cox, also confirms the leaks’ veracity: “Avid owns all intellectual property in the data, which has been stolen from our data center, and disclosed in this unauthorized and unlawful manner.”

On Tuesday, anonymous hackers released what they claimed were 36 million records from Ashley Madison users, containing names, profile information, and partial credit card records. Avid Life Media previously admitted that it had been hacked, but it hasn’t officially said that these records are legitimate. Outside investigations, meanwhile, have indicated that they are.

There are plenty of ways to look up whether your information has been exposed in the Ashley Madison hack — all you need is an email address. And while that alone certainly speaks volumes, email addresses are just a small sliver of the information found in the nearly 10GB data dump (compressed total file size) containing what looks to be over 36 million Ashley Madison accounts and 9 million individual credit card transactions.

The amount of data tied to each account, found across numerous spreadsheets, is as mind-bending as the messy ramifications and may include some (if not all) of the following:

Massive data breaches have become so routine as to become background noise. In the past year, half of American adults had their personal information exposed as a result of hacks, The New York Times reported last month. And yet while every hack produces anguished headlines and hand-wringing, the impact of the data breaches on average people is small. Hackers may gain access to your email address, or your phone number, or an encrypted password. But any financial losses are typically absorbed by your bank. We glance at the headlines, change our passwords, and await the next minor inconvenience.

The apparent release last night of personal information for 32 million registered users of AshleyMadison.com, a website for connecting people who want to have affairs, is likely to have much more profound consequences. Impact Team, the group of anonymous hackers who are taking credit for the breach, sought to have Ashley Madison’s website taken down in protest of the company’s business practices and its encouragement of adultery. But the practical impact of the breach is likely to be much broader. There are a lot of threads here, and it’s worth sorting them out.

Ashley Madison’s hackers have already claimed that the site’s “delete everything” service, which charged its affair-seeking users $19 to remove any trace of their presence on the site, wasn’t entirely effective. And now internal documents leaked as part of the massive breach have shown that the company profited heavily thanks to the disingenuous promise of “full delete.” According to BuzzFeed News, one memo points to Ashley Madison having made $1.7M in incremental revenue in 2014. Ignoring taxes and other potential costs, the numbers indicate nearly 90,000 users turned to the feature in hopes of erasing their entire history and activity on the site.

Data from the hack is now easily searchable, so those people don’t need go far to confirm whether Ashley Madison followed through on permanent account deletion — or if the company instead pocketed the $19 and profited from a false promise. In total, the Ashley Madison data dump covers 36 million accounts. “It was ALM that failed you and lied to you,” the group behind the attack has told Ashley Madison’s users. “Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”

Data from the Ashley Madison hack is now available in easily searchable form, after being released to torrent sites last night. Using a form site from cynic.al or Trustify, users can confirm whether specific emails are included in the database.

That confirmation only indicates that an email was entered into the database, and many such accounts may have remained unused after signup. Other sites are also including credit card data, location, and any sexual preferences included as part of the leak. The compromised data only includes emails input before July 11th of this year, so any signups after that date won’t be included. The total dump includes data for 36 million accounts, roughly two-thirds of which have an associated email address.

When casual sex and cheating site Ashley Madison was hacked last month, the perpetrators gained access to personal data for millions of users, and threatened to release it unless parent company Avid Life Media took the site and its sister enterprise Established Men down for good. Now, less than a month after the data was stolen, it has allegedly surfaced online. The records currently available appear to include credit card details, in addition to addresses, phone numbers, and names of users.

The information was first posted on the dark web, before the group behind the attacks — calling itself the Impact Team — announced its release on Reddit earlier this week. A searchable database has been constructed using the information, allowing interested parties to search for people by name or email address, and returning details including their sexual preference, contact details, body type, and fetishes. User passwords are encrypted with the bcrypt algorithm, suggesting that Ashley Madison at least took steps to secure that information while on file, but Robert Graham, CEO of Erratasec, told Wired that “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.”

Late last night, the 37 million users of the adultery-themed dating site Ashley Madison got some very bad news. A group calling itself the Impact Team appears to have compromised all the company’s data, and is threatening to release “all customer records, including profiles with all the customers’ secret sexual fantasies” if Ashley Madison and a sister site are not taken down.

Collecting and retaining user data is the norm in modern web businesses, and while it’s usually invisible, the result for Ashley Madison has been catastrophic. In hindsight, we can point to data that should have been anonymized or connections that should have been less accessible, but the biggest problem is deeper and more universal. If services want to offer genuine privacy, they have to break away from those practices, interrogating every element of their service as a potential security problem. Ashley Madison didn’t do that. The service was engineered and arranged like dozens of other modern web sites — and by following those rules, the company made a breach like this inevitable.

Casual sex and cheating network Ashley Madison has reportedly been hacked, compromising the user databases, financial records, and private details of the service’s owners and 37 million users. Security researcher Brian Krebs first reported the leak last night, which was subsequently confirmed by Noel Biderman, the CEO of Avid Life Media. The company runs Ashley Madison and two other sites for users to arrange sexual liaisons — Cougar Life and Established Men.

“We’re not denying this happened,” Biderman told Krebs, describing the hack as a criminal attack. A hacker or hacker group calling itself The Impact Team claimed to be behind the breach. The team is attempting to hold ALM to ransom with the information it has, threatening to release “all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” unless Ashley Madison and Established Men are taken offline in all forms. The other ALM sites, the group said, may stay online.