Hackers calling themselves ‘The Impact Team’ (TIT) have carried out their threat to release the hacked data from the adult dating site Ashley Madison (AM), which uses the slogan: “Life is short. Have an affair“. AM is part of Canadian company Avid Life Media (ALM), which specialises in websites offering married users opportunities to hook up with similarly attached people. Other associated ALM sites include Cougar Life and Established Men.
The anxiety and awkward silences experienced by a number of married couples world-wide in mid-July have now translated into full on denial on one hand, and suspicion on the other. The press has reported on many high profile individuals who categorically state that their email addresses were used without their knowledge to create fake online profiles. Many addresses are associated with government, education or large corporations such as Amazon and Sony. What seems to be emerging is that some (many?) addresses and fantasies have been posted by third parties to cause embarrassment or just as a joke which has now backfired.
In July TIT initially released a mere 40MB of data, including credit card details and some company information on ALM. Since ALM did not give in to TIT’s demands to take down both AM and Established Men, on 18 August 2015 TIT released personal data such as email addresses, usernames, limited credit card details, and embarrassing profile information for over 37.5 million AM users. They express no sympathy for the users of the site saying they deserved any discomfort.
In a recent statement which was initially only available to those people with access to dark web via the Tor browser, they said that ALM had failed to take down their sites and ‘we have explained the fraud, deceit, and stupidity…Now everyone gets to see their data.’ They go on, ‘Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it’. Their continued stated motive is morality but it still seems like blackmail.
Though the data was originally only available on the dark web via Tor, after release, it was rapidly disseminated on sites such as 4chan. It quickly became available to anyone despite ALM’s efforts to limit access. There are a number of websites where you can check your email address(es) – or indeed anyone else’s – to see if it is amongst the hacked data. One private detective site has been capitalising on this and you can directly announce to Facebook or Twitter via their site whether you have been compromised or not.
Further information has been released over the last 24 hours, as of 21 August 2015. TIT wanted to refute the claims that the data was fake, so they have released ALM source code and files containing emails from CEO Noel Biderman. No further user information has been leaked. Their statement simply says, ‘Hey Noel, you can admit it’s real now’. However there seems to be a problem with the email files so they may be corrupted. The release of every version of the company’s source code is more problematic. If this is freely available, there is the potential for ALM system vulnerabilities to be exploited.
Whatever the outcome of this data dump on people’s personal lives, there are other more troubling issues. It should go without saying that companies offering any kind of online service have a duty to ensure their data is fully secure, and where necessary get expert help. However the hackers’ employment of the so-called dark web to communicate their criminal acts is the most interesting aspect of this case. Due to the dark web’s labyrinthine set up, the perpetrators will easily remain untraceable and unaccountable for their actions, and it is this that should encourage every Chief Information Office and Information Commissioner’s Office to be vigilant. Prevention is better than the very uncomfortable alternative.
Rhory Robertson is a Partner and Clare Brown Library and Information Manager, working in the Collyer Bristow Cyber Investigations Unit.