Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Ashley Madison: Hackers Dump Stolen Dating Site DataDetails for 30 Million Subscribers Dumped to Dark Web
The attackers behind the July hack of pro-adultery dating site Ashley Madison - tagline: "Life is short, have an affair" - have followed through on their threat to release details about many of its 37 million members, by publishing nearly 10 GB of stolen data to the dark web (see Pro-Adultery Dating Site Hacked).
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The hacker or group - calling itself "The Impact Team" - had threatened to release "all customer information databases, source code repositories, financial records, emails" tied to Ashley Madison, unless parent company Avid Life Media shut down the site, as well as two of its other sites - Established Men, which promises to connect "young, beautiful women with successful men"; and CougarLife.com, which caters to older, more career-oriented women who seek younger men (see Ashley Madison Breach: 6 Lessons). As an incentive, the attackers had also released leaked excerpts of stolen material, including some customers' details.
At the time, Avid Life Media confirmed that it had been hacked, and that it was investigating the data breach with the help of law enforcement agencies.
Now, one month later, the attackers have broken their silence since the attack in an Aug. 18 "time's up!" statement that was originally released to the dark web, meaning it could only be accessed by using the Tor browser. "Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data," Impact Team says in the release. "Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you'll get over it."
The Impact Team also released a BitTorrent tracker file for a compressed, 9.7 GB file, which appears to contain usernames, and the last four digits of credit card numbers, as well as cardholders' names and addresses, for tens of millions of Ashley Madison users, Wired first reported. Other experts reviewing the dumped data say that it appears to contain passwords for Ashley Madison's Windows domain, PayPal account information for the company's executives, as well as the customer information.
Hackers Call Time
"It appears legit," security researcher Robert David Graham, who heads Errata Security, says in a blog post. "I asked my Twitter followers for those who had created accounts. I have verified multiple users of the site, one of which was a throw-away account used only on the site. Assuming my followers aren't lying, this means the dump is confirmed." He says the leaked information includes full names, email addresses, password hashes, as well as dating information such as height and weight, as well as postal addresses and even GPS coordinates.
Avid Life Media, in a statement, confirmed that it had "now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data," and condemned the data dump as "an act of criminality." The company says it's continuing to work with Canadian law enforcement agencies - and the U.S. FBI - to investigate the attack.
"This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities," the company says in its statement. "The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world."
Good News: Bcrypt Password Security
One upside for Ashley Madison users, University of Surrey information security expert Alan Woodward tells the BBC, is that Avid Life Media appears to have used the bcrypt password hash algorithm, which when used correctly can create very difficult to crack hashes of passwords. "Bcrypt is one of the more modern ways to make it harder for people to reverse engineer passwords - it's not impossible, but it would take a hacker much longer to work out what they are," Woodward says.
Graham likewise lauds Avid Life Media taking password security seriously. "Most of the time when we see big sites hacked, the passwords are protected either poorly - with MD5 - or not at all - in 'clear text,' so that they can be immediately used to hack people," he says. "Hackers will be able to 'crack' many of these passwords when users chose weak ones, but users who strong passwords are safe."
Bad News: Unencrypted Email Addresses
But the email addressees contained in the dump are unencrypted, and will now put the owners of those email addresses at risk of being targeted by phishers and spammers - or even blackmailers. All told, developer and security expert Troy Hunt says he's cataloged 30,636,380 unique email addresses in the attackers' dump. He's now adding those to his free Have I Been Pwned? service, which allows people to receive notifications if their email addresses show up in attackers' online dumps.
But in the wake of the Ashley Madison breach, given the potential sensitivity of the information, Hunt says in a blog post he's made some privacy-related changes. "Due to the Ashley Madison event, I've introduced the concept of a 'sensitive' breach - that is a breach that contains, well, sensitive data. Sensitive data will not be searchable via anonymous users on the public site, nor will there be indication that a user has appeared in a sensitive breach because it would obviously imply AM, at least until there were multiple sensitive breaches in the system. Sensitive breaches will still be shown on the list of pwned sites and flagged accordingly."
The Ashley Madison data WILL NOT be publicly searchable on @haveibeenpwned, it'll only go to verified subscribers: https://t.co/OfwPk6L9x7ï¿½ Troy Hunt (@troyhunt) August 19, 2015
Dumped Emails, Domain Information
The Ashley Madison breach is a reminder that the security of no site is foolproof, even if that site bills itself as "the world's leading married dating service for discreet encounters." Yet one analysis of the leaked email addresses posted to text-sharing website Pastebin found that 1,500 of the leaked addresses are from U.S. .gov and .mil domains, including nearly 7,000 U.S. Army email addresses, followed by 1,665 U.S. Navy emails, and 809 Marine Corps.
"What are people thinking when they register to an [infidelity] website using their work email address?" says Mikko Hypponen, chief research officer at security firm F-Secure, via Twitter.
But as many information security experts have noted, just because an email address is contained in the data dump, that does not mean the legitimate owner of that email address created the account. Notably, one of the leaked email addresses appears to belong to former U.K. Prime Minister Tony Blair.
The contents of the data dump are the subject of furious discussion on the anarchic 8chan message board, with one Reddit user reporting that "8chan has already started picking out high profile bankers and sending emails to their wives."
The information security spoof account "Swift on Security" was quick to seize on the potential for blackmail, as well as manufacturing plausible deniability.
For 90 Bitcoin I will tell your wife I created your Ashley Madison profile because I'm obsessed and I wanted you to break up.ï¿½ Securitay (@SwiftOnSecurity) July 20, 2015