On July 19, well-known security blogger Brian Krebs reported that the online cheating site AshleyMadison.com had been compromised. A group known as The Impact Team released a cache of data stolen from Avid Life Media (ALM), the parent company of Ashley Madison and two other hookup sites, Cougar Life and Established Men.
The data released includes snippets of account details from ALM’s users, maps of internal company servers, employee network account information, company bank account data, and salary information.
The Impact Team released the information in protest of ALM’s “lies” regarding it’s full delete function. Users were told that they could completely wipe their profiles and information from the ALM databases at the cost of $19. However, when Impact Team compromised ALM servers and inspected looked into their databases, they found that the information was not being deleted even after the delete fee had been charged.
The Impact Team’s demands were simple- either shut down Ashley Madison and Established Men, or have the full information of all 37 million users leaked. Needless to say, this was a cause of great stress for many of its users- Krebs reported that he receives a frequent stream of emails from Ashley Madison users who were afraid that the leak was going to go through.
Unfortunately for them, it just did. The Wired reported earlier today that a 9.7gb data dump was posted to the dark web containing the account details and log-ins for 32 million of the sites users, along with seven years worth of credit card and other payment transaction details.
A short while later, Krebs posted again to his blog, questioning the credibility of the leaked data. Raja Bhatia, Ashley Madison’s original founding Chief Technology Officer, told Krebs that there had been a slew of fake data dumps popping up, and there was no reason to believe that this one was legitimate.
Bhatia examined the data, and concluded that the data from the original release was real, but everything else was nothing more than generic and fake SQL files. He also said that “There’s definitely not credit card information, because we don’t store that. We use transaction IDs, just like every other PCI compliant merchant processor.”
However, Krebs has recently edited his original post with this new information:
“I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.”
So it would seem, at least for now, that the leaked data is indeed legitimate.
From a data security standpoint, what’s interesting is that The Impact Team managed to acquire credit card data from a database that was allegedly not storing credit card information. Since multiple sources have confirmed that their credit card information was found in the leaked data, we can only conclude that ALM was storing credit card information- they just didn’t know it.
This is a common problem that many companies are alarmingly unaware of.
We have worked with many CSOs and IT compliance managers who have assured us that there was no cardholder data to be found in their systems. In one particular incident, Ground Labs software found over 100 million cardholder data records that were being backed up on a partition they didn’t even know existed, and this is one of many examples.
The entire situation highlights, once again, the importance of understanding your data. The larger your environment, the more data you’ll have, and the more locations you’ll have to store it. In today’s data-driven workplace, it’s impertinent that every company understand what it is that hackers want, and how to keep it away from them.
As of now, the dumped data is making its rounds on the web, with sites like checkashleymadison.com going up (and getting taken down by a cease and desist by ALM) to make the information more accessible for the everyday spouse.
Play It Safe
The situation at Ashley Madison is still developing, but regardless of how it plays out for ALM, The Impact Team, or the gentlemen involved in the hack, this incident is but one of many examples of why having a strong data security system in place is integral for any modern-day business.
Are you interested in finding rogue data in your network? Take a free trial of Data Recon and find out if the same unknown risk exists within your environment.