Last month adultery website Ashley Madison was hacked, and now the names, addresses, phone numbers, encrypted passwords and credit card transaction details of around 32 million of its 37 million registered customers appear to have been posted on the dark web.
Thirty days ago, Canada-based parent company Avid Life Media (ALM) was given a month by the hackers to take down Ashley Madison and dating website Established Men. If ALM did not listen, they threatened to make public user details taken from the company’s compromised databases, source code repositories, financial records and email system.
The group, calling itself the Impact Team, made good on the threat Tuesday night when it posted 9.7 gigabytes of this data, including emails and credit card details, all in apparent retaliation for the site claiming to delete customer details for a fee, but failing to do so.
Wired reported that this data is available online via the Tor browser on an Onion address, meaning the data is distributed on the dark web.
A notice from the hackers said “time’s up” and accused ALM of lying to its customers, a reference to its service that allows members to erase their profile information for a $19 fee. They then said to “Prosecute them and claim damages.”
According to the hackers, ALM made $1.7 million in revenue in 2014 from the full delete service to remove user history and personally identifiable information (PII) from the site, but Impact Team said that payment details are not in fact removed.
ALM issued a statement describing the hack as “an act of criminality,” saying it had “now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data”.
“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society,” the statement said. “We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”
The company had planned a public flotation, but the nature of the business, being hugely reliant on trust that’s now largely lost, could mean this is unlikely to happen. And while commentators have noted that it may not be a mainstream conventional business, the issues nonetheless have wide implications.
Blue Coat, a security company investigating the breach, believes there is more to come. In an email to SCMagazine.com, they said this could include reselling the personal data to others, financial or non-financial blackmail of Ashley Madison and its customers, and social engineering to take down bigger targets.
Commenting in an email so SCMagazineUK.com, Keith Poyser, GM EMEA at Accellion, agreed that “whilst Ashley Madison was hacked by sophisticated cyber-criminals, the lesson to be learnt is that no business can afford to take cyber-security and data protection lightly. We have seen breach after breach in the last two years, from Carphone Warehouse to Target and Sony, to name a few. This is a cyber-arms race with criminal techniques constantly evolving, which means defense against attack must also evolve.”
In addition to reaping any type of financial windfall, others believe there is a moral aspect to the release of information.
“There is a desire to hurt people here and that’s sick as well as being criminal,” said George Anderson, director at cybersecurity firm Webroot. “Whilst readers’ morals may conflict, either seeing this group of hackers as good or bad guys, the fact remains that the Impact Team illegally obtained sensitive personal info. I’d imagine the fall-out is divorces, firings and blackmail – really personally malicious and upsetting stuff. There are no moral judgments on this except the immorality of hackers. So the ‘what now?’ is pretty nasty and the site users will probably be considering a class action for negligence.”
A version of this story originally appeared on SCMagazineUK.com.