Ashley Madison hack exposes IT details and customer records

IT records, sales data, and customer records exposed by Impact Team

On Sunday, a group calling themselves Impact Team leaked documents and other data taken from Avid Life Media, the company behind the adult playgrounds of Ashley Madison, Cougar Life, Established Men, and others.

The documents are a hodgepodge of details, ranging from IT infrastructure, sales and marketing data, customer records, and more.

In the message that accompanied the data, published online in multiple locations Sunday evening, Impact Team quoted ALM's CTO Trevor Skyes stating that protection of personal information was one of his biggest successes.

The quote goes on to say that he'd hate to see the company's systems hacked or customer information leaked. But that's exactly what's happened.

As part of the post announcing the hack, Impact Team said in part:

"We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never pissed anyone off.

"Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online."

Impact Team claims that one of the reasons for targeting ALM is because the company "profits on the pain of others."

The group released nearly 40 MB of data as proof of their claims, which includes limited credit card transaction details, zone data on two domains, as well as several documents taken form the ALM data servers.

One of the leaked documents is an infrastructure overview of ALM, including a technical map of the network, and a detailed breakdown of the apps and services used on the company's front-rail and back-rail servers.

Another leaked document outlines the possible risks the company faced in relation to customer data and the possible outcome during a given scenario. All of the items in the document are valid risk assumptions, which would make it part of a larger security plan or internal evaluation.

Some of the concerns include the loss of compliance status due to an oversight or bug in development, or a process failure leading to the loss of PCI compliance. The document also singles out XSS and SQL Injection vulnerabilities as another concern, in addition to man-in-the-middle attacks and malware infections on the internal network.

A presentation leaked by Impact Team shows that the company made $1.7 million in 2014 by charging users $19.00 to remove all of their personal information form the website.

"Users of the service want full discretion, they can pay to eliminate any trace of themselves from the site," the slide explains.

However, the leaked records show otherwise. One record posted by Impact Team shows the customer with a "paid delete" status, but purchase records kept by the company enabled the group to determine the customer and all of his account details.

[Note: Last year, Ars Technica covered this topic as it relates to Ashley Madison. The story offers additional information on the topic of paying to remove member data.]

In their announcement, Impact Team offered an apology to Mark Steele (ALM Director of Security).

"You did everything you could, but nothing you could have done could have stopped this."

ALM CEO Noel Biderman told journalist Brian Krebs that it's possible the attackers worked for his company at one point and had legitimate internal access.

"We're on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I've got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services," Biderman said.

"We're not denying this happened," he added. "Like us or not, this is still a criminal act."

The company has made no other public statements. A search of the Ashley Madison and ALM websites on Sunday evening turned up no public disclosure or notice related to the incident.

Join the CSO newsletter!

Error: Please check your email address.

Tags Established MenAvid Life Mediasecuritydata breachCougar LifeAshley Madison

More about AvidCougar

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place