The site, which claims to have over 37 million users, told Krebs on Security that it was working to take down leaked data, including account details of users apparently sampled at random.
An individual or group of hackers calling itself The Impact Team has claimed responsibility for the attack. In a manifesto posted along with the stolen user information, it said that it decided to publish the leaked data in response to alleged lies Avid Life Media (ALM; the company that owns Ashley Madison, as well as hookup sites Cougar Life and Established Men) told its customers about a $19 fee for completely erasing their profiles.
The Impact Team said that the ‘full delete’ feature didn’t actually wipe profiles as advertised and that it brought ALM $1.7 million in revenue last year.
The hackers said:
Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.
The Impact Team also demanded that ALM take down AshleyMadison and Established Men permanently:
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
ALM CEO Noel Biderman said that the company’s investigation is on-going and fast-moving, and added that he believed the breach was the work of someone who had inside access to its networks:
We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.
The news of ALM’s trouble comes just two months after dating site AdultFriendFinder was hacked.
Update: Avid Life Media confirmed the breach in a statement:
We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.
We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.
We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.
Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.
➤ Online Cheating Site Ashley Madison Hacked [Krebs on Security]