Data stolen by hackers from AshleyMadison.com, the online cheating site that claims 37 million users, has been posted online, according to Krebs on Security, the authoritative Web site that monitors hacking across the globe.
The breach was confirmed in a statement from Avid Life Media Inc., which owns AshleyMadison. “We apologize for this unprovoked and criminal intrusion into our customers’ information.”
AshleyMadison’s slogan is “Life is short. Have an affair.”
On Monday, the company said it would offer all users the ability to fully delete their personal information from the site — an option that was previously only available for a fee. The process involves a “hard-delete” of users’ profile information, posted pictures and messages.
Addressing speculation that “paid-delete” customers had been caught up in the hack, the company noted that they are confident that it “does in fact remove all information related to a member’s profile and communications activity.”
AshleyMadison is an unusual and apparently very popular dating Web site for those seeking extramarital relations. It gains attention by, among other things, wrapping itself in a social science mantle and publishing data about the frequency and location of cheaters across America, for anyone who happens to be interested, without, of course, mentioning any names.
Krebs on Security reported that the hackers, who identify as “The Impact Team,” got a hold of “sensitive internal data” not only for AshleyMadison, but also for other hookup sites owned by the company, Cougar Life, which appeals to “single moms and sexy singles looking for a young Stud,” and Established Men, which promises to connect “young, beautiful women with successful men.”
According to Brian Krebs, from Krebs on Security:
In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.
According to the hackers, although the ‘full delete’ feature that Ashley Madison advertises promises ‘removal of site usage history and personally identifiable information from the site,’ users’ purchase details — including real name and address — aren’t actually scrubbed.
Krebs reported that “The Impact Team” is threatening to expose all customer records unless Avid Life Media takes AshleyMadison and Established Men offline “permanently in all forms.”
But it wasn’t clear how much data had been posted online, Krebs said. And it was impossible to actually find “The Impact Team’s” revelations on the Internet early Monday morning, just hours after Krebs broke the story.
Noel Biderman, Avid Life Media CEO, confirmed the hack to Krebs on Security as well as in a statement, but declined to discuss the company’s “ongoing and fast-moving” investigation. Biderman told Krebs on Security that it was likely “not an employee but certainly” someone who “had touched our technical services.”
“We’re not denying this happened,” Biderman said to Krebs on Security. “Like us or not, this is still a criminal act.”
CNN reported on a similar data breach two months ago in which intruders stole and leaked online user data on millions of accounts from hookup site AdultFriendFinder.
Although it is unknown how much user account data from AshleyMadison is online, Krebs on Security reports that it appears to be a small amount that will increase by each day the company remains online.
AshleyMadison claims to be the world’s second-largest paid-for Internet dating site after Match.com, Bloomberg reports.
Fusion reports that tech blogger Robert Scoble posted an e-mail from AshleyMadison’s public relations team last year that ironically claimed the site was “the last truly secure space on the Internet.”
Which is apparently not the case.
“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers wrote.
“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world,” Avid Life Media said in its statement. “As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.
“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber-terrorism will be held responsible.”
In a second statement e-mailed to The Post Monday morning, Avid Life Media said it was working to gain control of the situation.
“Following the earlier unprovoked and criminal intrusion into our system, Avid Life Media immediately engaged one of the world’s top IT security teams – with whom we have worked in the past – to take every possible step toward mitigating the attack.
“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.”
This post has been updated.