How The Ashley Madison Security Breach Happened

by Ordoyne Unrath

In July 2015, a group billed as the Impact Team user data from Ashley Madison, a commercial website that allegedly facilitated extramarital affairs, stole. Between August 18 and 20 the group stole personal information about the page’s user base. The group copied the data and threatened to give user names and identifying information if the website was not closed.

Ashley Madison, a commercial website that allegedly facilitates extramarital affairs, had a policy not to delete users “personal information including real names, house addresses, credit card information, and activity logs, for which many users feared shame. A group calling itself The Impact Team announced the theft on July 19th, 2015 and threatened to reveal the identities of the site’s users unless Avid Life Media, the site’s parent company, shut down the site as well as Established Men, another dating site they run.

According to hackers, the service allowed members to delete their profile information for a fee of $19 and promised to delete the site’s usage history, but did not delete personally identifiable information about Ashley Madison users and purchase details, including real names and addresses.

It seems that the hackers released only a small percentage of Ashley Madison’s user account details and wanted to release more in the days of Ashley Madison’s stay. After receiving a complete set of profiles from their DB dump, the hackers released them to the public. The Impact team released the Data Dump which contains the sensitive data of all 3.7 million users of Ashley Madison who have used the site for more than a decade.

Ashley Madison database was uploaded to several websites, completely available for anyone to download. Ashley Madison began issuing copyright notices to try and remove these files from the internet and minimize the damage. The files were shared on social media sites such as Twitter. The 97 GB files were stored on the dark web with onion addresses and revealed personal information, including phone numbers, email addresses, names, photos, and physical addresses of the users.

The first data dump contained 20 gigabytes of the company’s internal data, including the CEO’s emails and Ashley Madison’s source code on the site. In a Pastebin post entitled “Time of Impact,” the the hacking team uploaded the data as a torrent file with 10 GB of files. It later emerged that a 13 gigabyte file of Biderman emails had been corrupted and replaced by a newly published 19 gigabyte file of CEO email data.

It has been almost 6 years since one of the biggest and most infamous cyber attacks in history, but the controversy around Ashley Madison, the online dating site for extramarital affairs has been largely forgotten. This huge leak has caused some newer dating apps such as Mingle2 to take security much more seriously, moving their hosting to their own dedicated servers and hiring security experts to audit their systems and source code for potential vulnerabilities.

You may also like