The Impact Team, the vigilante group behind the hacking of the infamous website AshleyMadison.com has followed through on its threat to leak the full database of the site’s users online. On Tuesday, August 18, 2015, an impressive 9.7 gigabytes of compressed data was posted to the dark web using an Onion address accessible only through the Tor browser. The files appear to include the names, addresses, phone numbers, email addresses, seven years of credit card data (dating back to 2007), and, in some cases, detailed sexual preferences and desires of AshleyMadison’s approximately 32 million users. The credit card data, which amounts to millions of transactions, includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a unique transaction ID.
While it is presently unclear whether all of the data supplied by users to AshleyMadison is legitimate, the growing consensus is that the information is legitimately from AshleyMadison’s site. But, the site never verified any email addresses supplied upon registration, therefore, not every leaked email belongs to an “actual” AshleyMadison “user”.
The Ashley Madison hack is by no means the biggest data grab to date, but it is certainly one of the most notorious. The Telegraph (London) is even running “real time” updates as reporters comb through the data trove for famous or government email addresses. Take a look here.
While some may be worried that spouses will discover attempted or actual infidelity, this data dump also creates increased risk for employers. This large list of email addresses is likely to be irresistible to those launching “phishing attacks” by delivering malicious links or attachments containing malware in seemingly innocuous emails. This creates additional risk for intrusion into corporate networks where an employee may have used his or her work email to register with AshleyMadison or if an employee checks their personal email at work. In addition, the vast array of leaked personal information could also be used to impersonate the AshleyMadison users and gain access to, for example, corporate networks.
Finally, the AshleyMadison leak underscores the poor security practices we have often decried on this blog. As an initial matter, AshleyMadison exercised terrible data retention practices. Ashley Madison evidently kept credit card transactions going back over seven years, including information on 250,000 “deleted” accounts. Why would any company maintain credit card records for nearly eight years, particularly on accounts that should have been deleted? The lack of an appropriate data retention policy has resulted in serious legal exposure for AshleyMadison as users can (and likely will) claim that AshleyMadison negligently maintained their data.
Separate and apart from the data retention issues, it appears that AshleyMadison only used the bcrypt algorithym to hash their passwords without providing any additional layers of protection. While encryption using bcrypt is a good security measure, this alone is not sufficient. Data security is by no means one-size fits all. However, a more secure approach would have been a multi-pronged security effort including items such as adroit data retention, appropriate deletion, encryption of data, and two-factor authentication.
In short, we live in an era where massive amounts of personal data are being hacked and exposed. This new reality requires companies to take a hard look at their data security measures. The take away here: from both a PR and a legal perspective, your company does not want to be the next AshleyMadison.