Five years after a high-profile data breach of an infidelity website where users could meet to start an extramarital affair, users of Ashley Madison are now increasingly finding themselves victimized by extortion plots to pay about $1,000 in bitcoins to save them further embarrassment.
The current scheme, uncovered by Vade Secure threat analyst Damien Alexandre, provides details of the individuals’ personal lives of 32 million Ashley Madison adulterers, whose names, passwords, addresses, phone numbers, banks and credit card numbers over a seven-year period landed in the dark web in August 2015, according to a Vade blog post.
Vade Secure reported that last week it has seen several hundred examples of the attacks in the U.S., Australia and India. The payment demand comes in the form of a pdf containing a QR code to avoid detection by email filters.
Recipients are threatened that if they don’t meet the ransom the information that they’re a married cheater will be shared on social media, as well as with family members, including spouses, for whom the hackers claim they already possess email addresses.
Very specific details are offered in the threat, such as when they joined Ashley Madison and the user’s sexual proclivities or need for male-assistance products.
“This Ashley Madison extortion scam is a good example that a data breach is never one and done,” Vade noted in the blog post. “In addition to being sold on the dark web, leaked data is almost always used to launch additional email-based attacks, including phishing and scams such as this one.”
Ashley Madison reemerged online in 2018 when its CEO Ruben Buell reported the service was adding more than 470,000 new users a month.