For those of you hearing about the Ashley Madison hack and wondering who the heck Ashley Madison is, well, first of all, it’s not a who, it’s a what, or, if you like, a where. Ashely Madison is ashleymadison.com, and it’s a ‘dating’ site for married people. Yes, it’s a hookup site for married people who want to play around or have an affair.
Ashley Madison claims on their website that they have over “37,765,000 anonymous users”. Well, not so anonymous any more. Because the Ashley Madison hack hackers claim to have gotten the entire Ashley Madison user data, including not only names and email addresses, but even innermost fantasies.
Explains Ashley Madison, on their website:
Ashley Madison is the most famous name in infidelity and married dating. {Ed note: perhaps not something to be so proud of.} As seen on Hannity, Howard Stern, TIME, BusinessWeek, Sports Illustrated, Maxim, USA Today. Ashley Madison is the most recognized and reputable married dating company. {Ed. note: somehow ‘reputable’ and ‘married dating’ don’t quite go together.} Our Married Dating Services for Married individuals Work. Ashley Madison is the most successful website for finding an affair and cheating partners. Have an Affair today on Ashley Madison. Thousands of cheating wives and cheating husbands signup everyday looking for an affair. We are the most famous website for discreet encounters between married individuals. Married Dating has never been easier. With Our affair guarantee package we guarantee you will find the perfect affair partner.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
But over the weekend, a group of hackers calling themselves the Impact Team hacked into Ashley Madison’s data, grabbing vast amounts of user data, including personally identifiable information (PII), and pwned the Ashley Madison site.
In fact, the Impact Team claims that the data they hacked into and acquired includes nude photos of the users, and descriptions of their sexual fantasies.
It seems that it is in part the focus of the Ashley Madison site, facilitating extramarital affairs, that caused the hackers to go after Ashley Madison. In fact, the hackers are demanding that parent company Avid Life Media take down the Ashley Madison site altogether, along with another site that they run, Established Men, which the Impact Team claims facilitates prostitution and human trafficking by hooking up well-to-do men with prostitutes – while they have not demanded that Avid Life Media take down other sites.
In a statement that some are calling a manifesto (see below for the full statement), the Impact Team explained:
We are The Impact Team. We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records, emails … Shutting down AM and EM will cost you, but non-compliance will cost you more: We will release all customer-records, profiles with all the customers’ secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails. Avid Life Media will be liable for fraud and extreme harm to millions of users.
Regarding Established Men, and other sites that Avid Media runs, the Impact Team says:
ALM also runs Established Men, a prostitution/human trafficking website for rich men to pay for sex, as well as Cougar Life, a dating website for cougars, Man Crunch, a site for gay dating, Swappernet for swingers, and The Big and The Beautiful, for overweight dating.
But it also seems clear that the Impact Team may not only care about the thrusts of those sites, but that Ashley Madison promised full secrecy to their users – and in fact charged a $19 fee for a ‘Full Delete’ service – and then couldn’t deliver that promised secrecy in the face of a hack that exposed all of its users to the possibility of blowing their cover wide open. (According to the Impact Team, Avid Life Media netted nearly $2million in revenue for the Full Delete service in 2014, saying “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie.”)
“Too bad for those men,” says the Impact Team, “they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.
And, these are not idle threats. The Impact Team did in fact publish some of the data, to prove that they had it, and that they meant it, saying that “We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.” {Emphasis added.}
For their part, Avid Life Media released a statement yesterday, that says, among other things:
We were recently made aware of an attempt by an unauthorized party to gain access to our systems.
And…
The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked
And…
At this time, we have been able to secure our sites, and close the unauthorized access points.
Not only is this a stellar example of closing the barn doors after the horse has already gotten out, but their spin of “aware of an attempt” to gain access goes beyond downplaying the severity and enormity of the situation.
In the meantime, ALM has been playing whack-a-mole, contacting all sites that have the statement by the Impact Team, or any of the Ashley Madison data, online, and having them take it down (Avid Life Media CEO Noel Biderman told KrebsonSecurity that they were “working diligently and feverishly” to have their intellectual property removed from various sites). Which is why it’s been hard to find the full Impact Team statement. But we have it here for you.
Full Text of Impact Team Manifesto Statement on the Ashley Madison Hack
Avid Life Media runs Ashley Madison, the internet’s #1 cheating site, for people who are married or in a relationship to have an affair. ALM also runs Established Men, a prostitution/human trafficking website for rich men to pay for sex, as well as cougar life, a dating website for cougars, man crunch, a site for gay dating, swappernet for swingers, and the big and the beautiful, for overweight dating.
Trevor, ALM’s CTO once said “Protection of personal information” was his biggest “critical success factors” and “I would hate to see our systems hacked and/or the leak of personal information”
Well Trevor, welcome to your worst fucking nightmare.
We are the Impact Team. We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
So far, ALM has not complied.
First, we expose that ALM management is bullshit and has made millions of dollars from complete 100% fraud. Example:
-Ashley Madison advertises “Full Delete” to “remove all traces of your usage for only $19.00”
-It specifically promises “Removal of site usage history and personally identifiable information from the site”
-Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie.
-Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.
-Other very embarrassing personal information also remains, including sexual fantasies and more
-We have all such records and are releasing them as Ashley Madison remains online.Avid Life Media will be liable for fraud and extreme personal and professional harm from millions of their users unless Ashley Madison and Established Men are permanently placed offline immediately.
Our one apology is to Mark Steele (Director of Security). You did everything you could, but nothing you could have done could have stopped this.
This is your last warning,
Impact Team
We are not opportunistic skids with DDoS or SQLi scanners or defacements. We are dedicated, focused, skilled, and we’re never going away. If you profit off the pain of others, whatever it takes, we will completely own you.For our first release, and to prove we have done all we claim, we are listing *one* Ashley Madison credit card transaction for each day for the past 7 years, complete with customer name and address (oneperday.txt) and associated profile information (oneperday_am_am_member.txt and oneperday_aminno_member.txt, selected rows from our complete dump of the AM databases). We are also releasing a hash dump and zone file for both domains, select documents from your file servers, executives’ google drives, and emails, and the Ashley Madison source code repository. Also, since Ashley Madison stopped using plaintext passwords, we’re also releasing the swappernet user table, which still has plaintext passwords:
imgur[dot]com/8gQs8KV
bitbucket[dot]org/TheImpactTeam/ashley
bitbucket[dot]org/TheImpactTeam/ashleymadisondump
launchpad[dot]net/ashley
https://web.archive.org/web/20190613212907/https://mega.nz/!f4smmDCa!YM7eJE2uxDvjGhxPERYk5tgBgeRyZoEYc9d0JMFUCP01 example from this dump: “{user name removed by The Internet Patrol}”, with profile ID {removed by The Internet Patrol}, who spitefully paid for Ashley Madison the day after valentine’s day in 2014, lives at {address removed by The Internet Patrol} in the US, with email {email address removed by The Internet Patrol}. He is not only married/attached, but is open to a list of fantasies from Ashley Madison’s list: |29|44|39|37|7|, a.k.a. “Cuddling & Hugging”, “Likes to Go Slow”, “Kissing”, and “Conventional Sex”. He’s looking for ‘A woman who seeks the same things I seek: passion and affection. If you have such desires then we will get alone just fine’,’|54|11|9|’ which means “Good Communicator”, “Discretion/Secrecy”, and “Average Sex Drive”. He also says “I have only two personal interests on this site. Making sure that You are comfortable with me should I be so fortunate to hold your attention and making sure I take the role of discretion to an artform. I mean isn’t this why we are here, to be as discreet as possible?” From the login table, we know his user ID is ‘{removed by The Internet Patrol}’ and password hash is ‘{removed by The Internet Patrol}’.
As another, profile ID {removed by The Internet Patrol} is listed as a “paid delete”, which means a few of his profile text boxes are gone, but from purchase records we know it is “{name removed by The Internet Patrol}” from “{address removed by The Internet Patrol}” whose fantasies are |7|40|17|34|33|37|38|48|36|42|43|50|44|32|39|29|49|18|, which includes “Likes to Give Oral Sex”, “Likes to Receive Oral Sex”, “Light Kinky Fun”, “Role Playing”, “Erotic Tickling”, “Erotic Movies”, “Good With Your Hands”, “Sensual Massage”, and “Dressing Up/Lingerie” among others. You must be glad you paid for your profile to be deleted, huh?
Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online.
And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.
Well, Noel? Trevor? Rizwan? What’s it going to be?
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Off topic, but I caught my now/ex on a different site [connectxsingles] & she had like 50+ emails from guys in a very short time. In fact, caught her w/ one who was married at a hotel, but she denied it. Forget her name rt now on the site, but it was ??-wiggly; personally I think that would scare me away :)
Kinda makes me want to find the Impact Team and join it.
What sites like AM have to understand is that the only way to not be hacked is to not be on the Internet. Granted, that makes a web site more or less useless, but it’s the only way a secrecy promise is going to work.
TO: David Schlesinger Ah! I suspected the same. Sigh. yes as you put it, catching them is the hard part. Why am I wondering: “Inside job – disgruntled employee”. And it seems to me someone was hurt by them, somehow. Revenge?
Yes, there are numerous Federal laws against breaking into computer systems, making off with other people’s data, and so forth. The challenge is identifying the perpetrators (since the Internet makes it possible to mask your identity and location in scores of ways) and proving that they did it “beyond a reasonable doubt”.
Part of the problem is that a company whose security is as lackadaisical as AshleyMadison’s seems to have been — no encryption on their data? Really? — probably isn’t on their game enough to have collected the information you’d need to start tracking down the perpetrators.
One query. Since stuff like this is basically theft. Where are the legalities? You mean I could steal all the Internet Patrol’s “electronic property” and get away with it? I realize these hackers do make themselves hard to find, but in the end…. Do two wrongs make a right?
Are there any laws about people who break into computers? And are there any means to investigate and try find these people? I merely ask out of curiosity. For it seems to my old worm out brain that there were rules some years ago….
And should not the “human test”, be located ABOVE the “post comment button”. I mean logically!