Ashley Madison

Date: 2015-07-01

Compromised user accoutns: 36M

Ashley Madison, billed as an extramarital affairs service, got comprehensibly compromised.

A Canadian company Avid Life Media was running a dating site for married people. All the company data was leaked to public, including the production database, internal emails, discussions and marketing memos.

“In July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The group copied personal information about the site’s user base, and threatened to release users’ names and personally identifying information if Ashley Madison was not immediately shut down. On 18 and 20 August, the group leaked more than 25 gigabytes of company data, including user details.” (Wikipedia)

“Because of the site’s policy of not deleting users’ personal information – including real names, home addresses, search history and credit card transaction records – many users feared being publicly shamed.” (Wikipedia)

As the writing of this it is not yet public information how the compromise happened. A black hat hacker group called “The Impact Team” distributed the data dumps. What is missing is that how the group get their hands on the data in the first place. However the extend of the data dump, including marketing documents, C-executive emails and and PayPal accounts suggest that this was either an inside job or the hackers spend a lot of time in the Avid Media internal network. The CEO of Avid Life Media says the breach was by an insider who was not an employee, but the claim has not been publicly confirmed.

The incident exposes some frivolous business practices of Avid Media, like very high generated fake and bot profile ratio.

After the incident, men who were members on the site started to receive blackmail threats for exposing the affairs to their spouses unless the blackmailer is paid in Bitcoin.

Related evaluation points: