The morality police are alive and well in the 21st century, and not just in Saudi Arabia and China. At least according to cheating website Ashley Madison, as that’s what they call the hackers that published the names, addresses and credit card data of more than 30 million of its clients on Tuesday. The hackers, who call themselves the Impact Team, broke in to AshleyMadison.com and stole virtually all of their customer data just over a month ago.
The Impact Team threatened to post all of the client data they stole if the website was not shut down, and management refused, so now they have carried through on their threat.
Hackers made Ashley Madison “data dump” on Tuesday
The hackers posted the Ashley Madison client information via a 9.7 gigabyte data dump on Tuesday to the dark web. For anonymity they used an Onion address that can only be accessed through the Tor browser. The files posted contain account details and log-in names for around 32 million users of the cheating networking site. Credit card and other payment transaction records stretching as far back as 2007 are also part of the dump. The data includes names, street address, email address and amount paid, but not credit card numbers. The data is organized using four digits for each transaction that may be the last four digits of the credit card or a unique transaction ID created for each charge.
The Ashley Madison client data published by the Impact Team includes the names, addresses and phone numbers submitted by users of the site. Keep in mind that many users of the site would not have submitted legitimate personal details. Wired notes that a sampling of the data suggests that many users provided made up numbers and addresses. However, all files containing credit card transactions will have accurate name and address data. Another analysis of the email addresses found in the AM client data shows that more than 15,000 are .mil. or .gov addresses.
Statement from The Impact Team
“Avid Life Media has failed to take down Ashley Madison and Established Men,” the Impact Team noted in a statement released with the data on Tuesday. “We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data…. Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”
In their statement, the hackers also suggested clients who have had their personal information exposed take legal action against Avid Life Media.
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
Statement from Ashley Madison Owner Avid Life Media
Not surprisingly, Avid Life Media published a statement late Tuesday in response to the exposure of the personal information of millions of clients.
The statement noted: “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
Customer passwords are encrypted
The good news is that passwords included in the Ashley Madison data dump appear to have been encrypted using the strong bcrypt algorithm for PHP, but according to Robert Graham, the CEO of security firm Erratasec, “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.” Moreover, if the account is still active, this means hackers can now access any private correspondence associated with the account (unless the user has changed the password).
Graham did give ALM due props for using the latest secure hashing algorithm, and said that many victims of breaches never even make the ffort to encrypt customer passwords.
“We’re so used to seeing cleartext and MD5 hashes,” Graham commented. “It’s refreshing to see bcrypt actually being used.”