Ashley Madison data breach
Part of a series on |
Computer hacking |
---|
In July 2015, an unknown group hacked the user data of Ashley Madison, a commercial website for people seeking extramarital affairs. The hackers, who called themselves "The Impact Team", claimed to have stolen personal information about the site's user base, and threatened to release users' names and personally identifying information if Ashley Madison was not immediately shut down. On August 18 and August 20, the group leaked more than 25 gigabytes of company data, including user details.
Because of the site's policy of not deleting users' personal information – including real names, home addresses, search history and credit card transaction records – many users feared being publicly shamed.[1]
Timeline of data breach
The Impact Team announced the attack on July 15, 2015, and threatened to expose the identities of Ashley Madison's users if its parent company, Avid Life Media, did not shut down Ashley Madison and its sister site, "Established Men".[2]
On July 20, 2015, the website put up three statements under its "Media" section addressing the breach. The website's normally busy Twitter account fell silent apart from posting the press statements.[3] One statement read: "At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online."[4] The site also offered to waive the account deletion charge.
On July 21, it was reported that hackers claimed to have released 2,500 customer records, although Ashley Madison spokespeople denied this, and stated only two names were released.[5]
On August 18, the hacker group posted the raw data on a Dark Web site only accessible via the hidden (or "Onion") services of the anonymity network Tor,[6] with a message and link to a compressed bit torrent file containing nearly 10 gigabytes of data. Uncompressed, it amounts to at least 60 gigabytes of data. Experts confirmed the validity of the information released,[7] and furthermore the data release was cryptographically signed[8] with a PGP public key.[9] In its message, the group blamed Avid Life Media, accusing the company of deceptive practices: "We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data ... Too bad for ALM, you promised secrecy but didn't deliver."[10]
In response, Ashley Madison posted a message on its website stating that the company was working with authorities to investigate. The company also condemned the hackers, stating they were not "hacktivists" but criminals: "It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world."[11]
A second, larger, data dump, occurred on August 20, 2015, the largest file of which comprised 12.7 gigabytes of corporate emails, including those of Noel Biderman, the CEO of Avid Life Media.[12]
Passwords
Analysis of passwords used on the site showed that "123456" and "password" were the most commonly used passwords.[13]
Ethics of leak and reporting
None of the accounts on the website need email verification for the profile to be created, meaning that people often create profiles with fake email addresses, and sometimes people who have similar names accidentally confuse their email address, setting up accounts for the wrong email address. Ashley Madison's company required the owner of the email account to pay money to delete the profile, preventing people who had accounts set up against their consent (as a workplace prank or mistyped email) from deleting them without paying.[14] Hackers allege that Avid Life Media received $1.7 million a year from people paying to shut down user profiles created on the site, which included profiles created as a prank. The company falsely asserted that paying them would "fully delete" the profiles - which the hack proved was untrue.[14]
Following the hack, communities of Internet vigilantes began combing though to find famous individuals to publicly humiliate them.[15] France24 reported that 1,200 Saudi Arabian .sa email addresses were in the leaked database, and in Saudi Arabia adultery can be punished with death.[16] Several thousand U.S. .mil and .gov email addresses were registered on the site.[17][18][19] In the days following the breach, extortionists began targeting people whose details were included in the leak, attempting to scam over $200 US worth of Bitcoins from them.[20][21][22] One company started offering a "search engine" where people could type email addresses of colleagues or their spouse into the website, and if the email address was on the database leak, then the company would send them letters threatening that their details were to be exposed unless they paid money to the company.[23][24]
A variety of security researchers and Internet privacy activists debated the media ethics of journalists reporting on the specifics of the data, such as the names of users revealed to be members.[15][25][26][27] A number of commentators compared the hack to the loss of privacy during the 2014 celebrity photo hack.[28][29]
Clinical psychologists argued that dealing with an affair in a particularly public way increases the hurt for spouses and children.[30] Carolyn Gregoire argued that "Social media has created an aggressive culture of public shaming in which individuals take it upon themselves to inflict psychological damage" and that more often than not, "the punishment goes beyond the scope of the crime."[30] Graham Cluley argued that the psychological consequences for people shamed could be immense, and that it would be possible for some to be bullied into suicide.[31]
Suicides
On August 24, 2015, Toronto police announced that two unconfirmed suicides had been linked to the data breach, in addition to "reports of hate crimes connected to the hack."[32][33] Unconfirmed reports say a man in the U.S. died by suicide.[23]
Notable public figures identified
After Gawker posted images linking a credit card with Josh Duggar, made famous by the reality television series 19 Kids and Counting, he and his parents released a statement in which Josh admitted to watching pornography on the Internet and being unfaithful to his wife. According to the material obtained in the data breach, Duggar paid $986.76 for two Ashley Madison subscriptions starting on February 2013, which were cancelled in May 2015 shortly after previous molestation allegations against Duggar had surfaced.[34]
Hamza Tzortzis, a conservative Islamic preacher who promoted iERA was allegedly on the list, but Tzortzis has denied that the account belonged to him, and filed a formal complaint with the police over an alleged hack of his bank details.[35]
Lawsuit
The organization behind Ashley Madison faces a $576m class-action lawsuit from users whose details were leaked. Two Canadian firms - Charney Lawyers and Sutts, Strosberg LLP - are bringing the action against site owners Avid Dating Life and Avid Media.[36]
See also
References
- ^ Thomsen, Simon (20 Jul 2015). "Extramarital affair website Ashley Madison has been hacked and attackers are threatening to leak data online". Business Insider. Retrieved 21 Jul 2015.
- ^ "Online Cheating Site AshleyMadison Hacked". krebsonsecurity.com. July 15, 2015. Retrieved July 20, 2015.
- ^ "Ashley Madison". twitter.com. Retrieved 20 August 2015.
- ^ "STATEMENT FROM AVID LIFE MEDIA, INC". Ashley Madison. 20 July 2015. Retrieved 22 July 2015.
- ^ Alex Hern. "Ashley Madison customer service in meltdown as site battles hack fallout". The Guardian.
- ^ Alex Hern. "Ashley Madison hack: your questions answered". the Guardian.
- ^ "Ashley Madison condemns attack as experts say hacked database is real". The Guardian. 19 August 2015. Retrieved 19 August 2015.
- ^ "No, You Can't Hire A Hacker To Erase You From The Ashley Madison Leak". Fast Company.
- ^ Include Security. "Include Security Blog - As the ROT13 turns....: A light-weight forensic analysis of the AshleyMadison Hack". includesecurity.com.
- ^ "Hackers Finally Post Stolen Ashley Madison Data". WIRED. 18 August 2015. Retrieved 19 August 2015.
- ^ "Statement from Avid Life Media Inc. – August 18, 2015". Ashley Madison. August 18, 2015. Retrieved August 19, 2015.
- ^ Jose Pagliery (20 August 2015). "Hackers expose Ashley Madison CEO's emails". CNNMoney.
- ^ Include Security. "Include Security Blog - As the ROT13 turns....: A light-weight forensic analysis of the AshleyMadison Hack". includesecurity.com. Retrieved 20 August 2015.
- ^ a b "Some Dude Created an Ashley Madison Account Linked to My Gmail, and All I Got Was This Lousy Extortion Screen". The Intercept. Retrieved 24 August 2015.
- ^ a b "Early Notes on the Ashley Madison Hack". The Awl. Retrieved 20 August 2015.
- ^ "Americas - The global fallout of the Ashley Madison hack". France 24. Retrieved 24 August 2015.
- ^ Thomas Gibbons-Neff (19 August 2015). "Thousands of .mil addresses potentially leaked in Ashley Madison hack". Washington Post.
- ^ "Report: Hack of Adultery Site Ashley Madison Exposed Military Emails". Military.com.
- ^ Philip Ewing (20 August 2015). "Pentagon investigating whether troops used cheating website". POLITICO.
- ^ Brian Krebs (21 Aug 2015). "Extortionists Target Ashley Madison Users". Krebs on security.
- ^ "Extortion begins for Ashley Madison hack victims". TheHill. Retrieved 24 August 2015.
- ^ "Ashley Madison users now facing extortion". FOX2now.com. Retrieved 24 August 2015.
- ^ a b "Ashley Madison spam starts, as leak linked to first suicide". theregister.co.uk.
- ^ "The Ashley Madison files – are people really this stupid?". theregister.co.uk.
- ^ "In the wake of Ashley Madison, towards a journalism ethics of using hacked documents". Online Journalism Blog. Retrieved 20 August 2015.
- ^ "Ashley Madison hack: The ethics of naming users - Fortune". Fortune. Retrieved 20 August 2015.
- ^ "Jon Ronson And Public Shaming". onthemedia.
- ^ "Ashley Madison hack: The depressing rise of the 'moral' hacker". Telegraph.co.uk. 20 August 2015.
- ^ "As our own privacy becomes easier to invade, are we losing our taste for celebrity sleaze?". newstatesman.com.
- ^ a b Credit: Carl Court/Getty Images (20 August 2015). "Ashley Madison Hack Could Have A Devastating Psychological Fallout". The Huffington Post.
- ^ "The Ashley Madison hack - further thoughts on its aftermath". Graham Cluley.
- ^ "Ashley Madison hack: 2 unconfirmed suicides linked to breach, Toronto police say". CBC. 24 August 2015. Retrieved 24 August 2015.
- ^ "Suicide and Ashley Madison". Graham Cluley.
- ^ "'19 Kids And Counting' Star Josh Duggar Admits He Was Unfaithful To Wife Anna After Ashley Madison Leak". International Business Times. Archived from the original on 20 August 2015. Retrieved 20 August 2015.
- ^ "Ashley Madison Hack: Islamic preacher Hamza Tzortzis 'found' on leaked list". Yahoo News UK. 23 August 2015.
- ^ "Ashley Madison faces huge class-action lawsuit". BBC News. Retrieved 24 August 2015.