Casual sex and cheating network Ashley Madison has reportedly been hacked, compromising the user databases, financial records, and private details of the service's owners and 37 million users. Security researcher Brian Krebs first reported the leak last night, which was subsequently confirmed by Noel Biderman, the CEO of Avid Life Media. The company runs Ashley Madison and two other sites for users to arrange sexual liaisons — Cougar Life and Established Men.
"We're not denying this happened," said ALM's CEO
"We're not denying this happened," Biderman told Krebs, describing the hack as a criminal attack. A hacker or hacker group calling itself The Impact Team claimed to be behind the breach. The team is attempting to hold ALM to ransom with the information it has, threatening to release "all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails," unless Ashley Madison and Established Men are taken offline in all forms. The other ALM sites, the group said, may stay online.
The Impact Team presented a moral stance in a lengthy document explaining its actions, hitting out at both ALM's business practices and the people who used the service to have extra-marital affairs. Ashley Madison offers a "full delete" feature by which it offers to scrub your payment and address details from its records for a $19 fee — a fee that The Impact Team says actually pays for nothing. "Full Delete netted ALM $1.7 million in revenue in 2014," the group says in its manifesto. "It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."
Not that the group offered much sympathy for people who would be exposed. "Too bad for those men," the document reads. "They're cheating dirtbags and deserve no such discretion." The manifesto hit out at "the internet's number one cheating website" Ashley Madison, but was most vehemently against Established Men, which it characterized as "a prostitution / human trafficking website for rich men to pay for sex." Among those the team said would be having "a very bad day" if the information came to light were "many rich and powerful people" in the US and Canada.
The hackers threaten to release data unless two sites are taken offline
ALM published a statement on the leak, in which it tried to deflect blame, saying that it was "only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies." Biderman told Krebs it was "working diligently and feverishly" to stamp out the dissemination of information, shutting down the original locations at which it was shared. Biderman said that rather than a random outsider targeting his company, the investigation points to someone who had at one point "touched [ALM's] technical services," suggesting that a former employee or contractor may have had a hand in the leak. As of Monday morning, ALM said it had removed all posts related to the incident from its site, as well as all personally identifiable information about its users.
The documents stolen by the hackers showed that ALM's tech staff lived in fear of a breach. Trevor Stokes, the company's chief technology officer noted that "security" was his answer to the question "in what area would you hate to see something go wrong?" In May, The Wall Street Journal reported that ALM had planned to go public this summer with an IPO, hoping to raise $200 million in investment — a plan to which this news will be a blow.
Ashley Madison isn't the first hook-up service to be held to ransom for stolen information. Earlier this year, similar service Adult FriendFinder was hacked, revealing the personal details and sexual preferences of 3.5 million people. Where ALM's hackers are at least trying to present a moralistic front, AFF's hacker — who went by the pseudonym ROR[RG] — simply hoped to make money from the data, threatening to release it all unless he was paid $100,000.
Update, July 20th, 8:25AM: Updated to add that ALM had removed the personal information of its users and all posts related to the incident from its site.
Verge Video: The future of sex