From Location To Weight, Embarrassing Ashley Madison Customer Data Published By Hacke

August 19th, 2015 by Staff

(www.www.forbes.com)

If there were any remaining doubts abouts July’s breach of Ashley Madison, a site encouraging and supporting adultery, they’ve just been blown away by the leak of nearly 10GB of compressed data affecting most of the site’s 37 million users. And the data, now available from a site hosted on the Tor anonymising network, contains all kinds of revealing details, including GPS locations and weights of users.

The Impact Team, a previously-unknown crew of hackers who took responsibility for the attack last month, said in a post accompanying the leak that as Avid Life Media had failed to take down Ashley Madison and its other property Established Men, all customer data would be published. A torrent file was linked on the site, hosted by a Tor-based magazine called Quantum, at least in the case where FORBES found the information.

“We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data,” the Impact Team statement read.

“Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles… 90-95 per cent of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”

Early analysis of the information indicates it’s real and revealing. TrustedSec, a security firm co-founded by ex-NSA staffer David Kennedy, said the leak contained an “extensive amount of internal data which looks like the hackers had maintained access to their environment for a long period of time”. Ashley Madison CEO Noel Biderman had originally suspected someone with legitimate access to company systems was responsible.

If there were any remaining doubts abouts July’s breach of Ashley Madison, a site encouraging and supporting adultery, they’ve just been blown away by the leak of nearly 10GB of compressed data affecting most of the site’s 37 million users. And the data, now available from a site hosted on the Tor anonymising network, contains all kinds of revealing details, including GPS locations and weights of users.

The Impact Team, a previously-unknown crew of hackers who took responsibility for the attack last month, said in a post accompanying the leak that as Avid Life Media had failed to take down Ashley Madison and its other property Established Men, all customer data would be published. A torrent file was linked on the site, hosted by a Tor-based magazine called Quantum, at least in the case where FORBES found the information.

Ashley Madison breach
Ashley Madison suffered a breach in July when it was asked to close the website. It didn’t and the hackers have now revealed all user data, as well as company files.

“We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data,” the Impact Team statement read.

“Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles… 90-95 per cent of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”

Early analysis of the information indicates it’s real and revealing. TrustedSec, a security firm co-founded by ex-NSA staffer David Kennedy, said the leak contained an “extensive amount of internal data which looks like the hackers had maintained access to their environment for a long period of time”. Ashley Madison CEO Noel Biderman had originally suspected someone with legitimate access to company systems was responsible.

Kennedy noted in a blog post it appeared around 33 million usernames, first names, last names, street addresses were leaked, alongside company PayPal passwords and internal documents. A separate review of the data by ErrataSec’s Robert Graham indicated as many as 36 million records were leaked, and the dump includes physical details, such as height and weight, as well as GPS coordinates. “I suspect that many people created fake accounts, but with an app that reported their real GPS coordinates,” he said in a blog post. Some credit card data appears to have been leaked, but not full numbers.

Given that the leaked data was compressed to 10GB, the amount of information available will be much larger. “This dump appears to be legit. Very, very legit.” Kennedy added.

There was some good news for victims of the attack, as Ashley Madison used a one-way encryption format known as hashing, and did so with a strong algorithm known as bcrypt. “Hackers will be able to ‘crack’ many of these passwords when users chose weak ones, but users who strong passwords are safe,” Graham noted.

It’s also worth keeping in mind that as Ashley Madison didn’t do validation checks on registration, many of the usernames could well be fake.

Avid Life Media, owner of the site, said it was aware of the dump and was investigating alongside Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the FBI.

“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the company said in an online statement.

“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.

“We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster.”

Regardless of the morals at play here, Ashley Madison has suffered a devastating breach that will likely cause significant grief for the predominantly male user base and, given the apparently lengthy infiltration of its network, for the company itself.


Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment. You are free to voice your opinion but please keep it clean. Any comments using profanity will be rejected.