Karma Watch: Ashley Madison

A year ago, a massive breach had a profound impact on the lives of registered users of Ashley Madison, a “dating” site for married people, and nearly killed a thriving

A year ago, a massive breach had a profound impact on the lives of registered users of Ashley Madison, a “dating” site for married people, and nearly killed a thriving yet controversial business.

Ashley Madison users are still target for cybercroocks

The Ashley Madison hackers, a previously unknown group calling itself the Impact Team, exposed more than 37 million user records from 40 countries, as well as the website’s source code and internal corporate correspondence among the company’s top management. Because of the nature of the site — users were married people looking to meet other married people for extramarital affairs — this event dramatically changed many lives and enabled cybercriminals to engage in all kinds of predatory behavior against the victims of the hack.

“They had it coming”

Hackers normally steal data to resell on the Darkweb, but the culprits behind the Ashley Madison hack appeared to be out for justice, not money.

To kick off the party, Impact Team sent a note to the management team at Avid Life Media, Ashley Madison’s parent company. The note informed Avid Life that the group had hacked the company’s infrastructure, and it demanded Avid Life Media take down three of its dating websites. Failure to do so would result in their customers’ records being exposed publicly. The company refused, and 30 days later, the blackmailers carried out their threat.

As soon as that happened, subscribers started to panic, not so much fearing the compromise of their credit cards as frantic over the exposure of love affairs and private photos. Researchers, meanwhile, put themselves to work and started to analyze the website’s source code, quickly uncovering a number of ciruous findings.

First, Ashley Madison’s source code contained a number of vulnerabilities, which allowed hackers to move around the website’s infrastructure as soon as they found the point of entry. Second, the analysis showed the site’s lax requirements for passwords: Passwords had to include from 5 to 8 characters, with only two types of characters supported.

Avid Life Media and its customers had to reckon with the consequences of the large-scale breach — which, because of the nature of Ashley Madison’s service, felt rather harsher than the fallout from breaches of other, more popular, services.

Company losses: stained reputation, broken dreams

In general, the public’s reaction to the breach was barely suppressed cackles of glee. Many saw the breach as “instant karma” for the company – after all, Avid Life Media’s business model was built on infidelity and lies. After the data, including confidential corporate information, was leaked, researchers analyzed it — and then it was users’ turn to get furious.

The research showed that Ashley Madison’s brand promise, which helped the service built its extensive customer base of tens of millions of people, was a plain lie. Among its other features aimed at making users feel comfortable about the discretion of the site, Ashley Madison actively marketed its “full delete” option, which sold users the ability to erase their profile completely and permanently — a service for which the site charged as much as $19. The feature brought Ashley Madison more than $1.7 million annually.

However, the service deleted profile data only. It kept the payment data on file; thus, customers’ real names, billing addresses, and credit card data remained on the company’s servers. Even if a person used a pseudonym to register, their real name was in the system, indelible.

Some more digging yielded another interesting tidbit: The majority of Ashley Madison’s flirtatious women were really chatbots whose sole purpose was to lure newcomers checking out the service into conversation and get them to pay money to continue the conversation. The chatbots were no innocent mistake: The deception was intentional, and it involved a great deal of coding and even some analysis of customers’ preferences: For example, some were matched with “women” seeming to be of the same ethnicity.

Ultimately, Avid Life Media was helpless before unknown and relentless hackers, and that cost the company a lot. The company had an IPO scheduled for just a few months after the hack, but when all hell broke loose, an IPO became pointless; there was no chance of raising the previously anticipated $200 million on initial stock purchase. Instead, Avid Life Media was facing lawsuits, audits, and the resignation of CEO Noel Biderman.

The incident forced Ashley Madison to completely revamp its brand: A year after the breach, Ashley Madison has changed its primary offering and rebranded. Gone is the provocative slogan “Life is short. Have an affair.” Now, visitors to the site will see a slogan that could appear on any dating site: “Life is short. Find your moment.” The service abandoned its image as an infidelity website and now positions itself as “the best place to find real, discreet relationships with open-minded adults.”

User punishment: divorce, shame, despair

While Avid Life Media desperately tried to mitigate the effect of the breach, offering a $500,000 bounty for any viable information on the hackers, users could only brace themselves for tough times. In the weeks following the breach, Avid Life Media’s customer service stopped responding with anything of substance to thousands of horrified requests, leaving its users completely on their own.

Countless marriages were on the brink of divorce, and victims were terrified to open up to their partners, which in some cases led them to uneasy and even tragic decisions.

Meanwhile, online advocates for moralily and marital fidelity continued to blast the site’s members mercilessly. An Australian radio DJ told a woman on the air that her husband was registered on Ashley Madison, and a Georgia newspaper printed all of the leaked names.

The impending threat hung over thousands of military officers, clergy, celebrities, politicians, and other public figures. Exposure would mean major damage to their reputations.

Some media reports stated that many military officers or government agency employees used their work e-mail addresses to sign up with Ashley Madison. Although the reports were not confirmed, the rumors cast a shadow over many high-profile institutions, including the UK Prime Minister’s office.

Criminal opportunities: extortion, spam, phishing

The criminals behind the hack were not the usual suspects, stealing credentials for money. But once the Impact Team opened the door, other cybergangs wasted no time.

First, the affected users were easy targets for credit card scams. Although most Ashley Madison users registered under a false name, they had to disclose their real identity when it came time to pay. The leaked database did not seem to include full credit card details, but in some cases, criminals were able to use the last four digits to obtain the full credit card number. And with that, they could steal money from bank accounts or make purchases online.

But in the case of Ashley Madison, credit card scams were not the only way to take advantage of the user data. With private data in hand, blackmailers got in touch with victims and threated to tell their families or employers about their affairs or share highly personal photos and correspondence with victims’ Facebook friends or LinkedIn connections. Facing intolerable disclosure, some victims paid the ransom without any proof that the extortionists would then leave them alone. However, reporting the blackmailers to the police seemed an impossible route.

Such schemes are still going on. One New Jersey subscriber recently shared his Ashley Madison story on condition of anonymity. “Mr. Smith,” who is divorced, registered on Ashley Madison under his real name and using his credit card. After a short while, he got a letter from blackmailers who claimed they had his private correspondence, bank data, and so on.

We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt info with all of your friends, family members, spouse, then you need to send exactly 5 bitcoins (BTC) to the following BTC address…The time ends on the next 24 hours,” the e-mail said. “Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about…”.

Smith does not think he did anything shameful, so he decided instead of paying the ransom, he would share this information with the world. How other victims would have responded, only they know.

Reports of the “infidelity website” hack quickly spawned a new school of phishing sites as well. People who were worried about cheating partners were led just as easily as actual Ashley Madison users to websites offering to check an email address against the leaked Ashley Madison database.

However, people who submitted an e-mail to such sites risked falling victim to spam or phishing attacks. Cybercriminals created bogus websites to collect real e-mail addresses and then used the addresses for spam or phishing. Once a person typed in an address, it would be sent, unprotected, to people who would easily use it for scams.

Postmortem

It’s been a year since the Ashley Madison breach, and we’ve heard about an awful lot of other massive breaches and their consequences. However, the Ashley Madison hack had a different impact, more personal and profound than credit card numbers or social media passwords. It dealt in private stories that otherwise would never had seen the light of day, and they were exposed for the world to see.

Some breaches have a long-lasting effect on both an affected service and its users. For example, one can only guess what could have happened if malefactors had devised a tool to compare the data from the Ashley Madison dump with the data from another major hack — the hack of the United States Office of Personnel Management. That leak compromised the personal data of millions of people employed by the US government, including many who had access to classified information.

To date, we know about three highly publicized lawsuits against Avid Life Media. However, many quiet divorces went unnoticed. Millions still live in fear of their infidelity being discovered. And Avid Life Media, a promising business until mid-2015, was forced to rethink its development strategy. The company will live with the consequences of the breach for years to come.

Marriage and fidelity are none of our business; they are personal decisions, and lecturing people about those decisions was not supposed to be part of our mission. But we are in the strange position of having to warn users who choose to bring these intimate decisions online. Both attached and single people who engage in online affairs or sexting raise their risk level. Their personal data and their reputations are at stake. And the nature of this kind of private information makes them easier and more vulnerable prey to the kind of cybercriminals who use the dirtiest tricks — blackmail and extortion.

If you still want to explore the dangerous waters of online dating, bear in mind some basic tips that can help mitigate the risks of a potential breach:

  • Look out for your own security — don’t expect the website to do it for you. Try to avoid paying by credit card; use gift cards if possible, and use a fake name and address in your profile.
  • Don’t exchange nude photos, even — or especially — if pressured. You may even trust the person you’re chatting with, but no one is safe from data breaches nowadays, so consider worst-case scenarios.
  • Never use your work e-mail address to sign up. A hacker linking you with your employer is a major blackmail opportunity — it could even open the door to social engineering attacks, compromising the security of your enterprise.
  • Use a private e-mail address, not your primary address, for online dating.
  • Use a fake name. For maximum secrecy, don’t register under your real name and, of cource, don’t use social media accounts for authorization. The more information a scammer or blackmailer has on you, the more effectively they can trap you.
  • If a breach affects you, don’t buy any offers to check your info against the database of leaked data; it might be a trap. If you want to run a secure check, you might try HaveIBeenPwned?, a website developed by white-hat hacker and security researcher Troy Hunt.
  • If your data was compromised, make sure to change passwords to other online services on which you’ve used similar or identical passwords: Hackers are well aware users tend to reuse passwords. Should you hesitate, the culprits may hack your Facebook and LinkedIn account — or worse, your e-mail account. You might also need to request new credit cards.
  • Perhaps most important, try always to keep in mind that your account may be hacked at any time. Unfortunately, these days a breach is not a matter of if but when.
Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.