Last Tuesday, Impact Team, the group that claimed responsibility for the hack of Avid Life Media (ALM) in July, released the first of three different archives containing ALM data, including customer records, financial records, internal documents and records, source code, and the CEO's email spool.
ALM is the company behind the adult playgrounds of Ashley Madison, Cougar Life, and Established Men.
In July, Impact Team said the company profits on the pain of others, and warned that if Ashley Madison and Established Men were not taken offline, they would release the compromised records to the public. They made good on their promise, and the last seven days have been chaos.
A public hunt for high-profile people:
Jeff Ashton, the prosecutor during the Casey Anthony trial, admitted that he had an account on the affair website last week, and issued an apology to his wife and kids. He said he was curious and registered for a paid account to see how the site worked, but denied actually having an affair.
Josh Duggar, a reality TV star that was already in hot water over molestation charges from his teenage years, was also discovered among the ALM client lists. Duggar had paid for an "affair guarantee" on Ashley Madison. Once the story spread, he issued an apology that stated in part that he was the "biggest hypocrite ever." Duggar was known for promoting faith and family values.
Hamza Tzortzis, a well-known British Islamist preacher, was also found in the ALM client lists, but denied that he ever used the service. His claims have led some to speculate that he was one of several people who were found in the ALM client roster, but who were likely registered by other people.
Ashley Madison only verified paid subscriptions, but anyone was able to register on the website with whatever information they provided. However, critics pointed out that Tzortzis' financial details were also in the leak, calling his public response on the matter into question.
An interesting aside in all of this mess, more of a personal observation really, is that on one hand, there are privacy advocates promoting the hunt for high-profile individuals – while seemingly ignoring the fact that 37 million people had their privacy violated last week. Does the right to privacy go away if someone cheats on their spouse?
A brief statement:
In a statement, Ashley Madison said that the complete wreaking of the company by Impact Team isn't an "act of hacktivism, it is an act of criminality."
"It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society."
The company has since stopped claiming that the data released by Impact Team was false, or otherwise forged.
Spammers hijacking Ashley Madison suicide discussions on social media:
Over the weekend, spammers started hijacking conversations on social media by promoting a number of bogus links. Some of them lead to questionable destinations.
While a malware attack hasn't been confirmed, many of the links tested by Salted Hash routed through several locations before landing on the final page, an affiliate link used to promote books on Amazon. The books themselves are guides and self-help publications geared towards online anonymity. There were also keyword-based items using "Ashley Madison" and offers for romance novels.
On Twitter, many of the profiles promoting the questionable links appear to be bots that are triggered by the phrase "Ashley Madison Suicide" and are using the dlvr.it URL shortening service. Some are recycling the links through Tumblr as well.
The topic is centered on reports that emerged late last week. The story is that a San Antonio city employee took their own life after their data was discovered in the Ashley Madison client list. However, this story hasn't been fully confirmed.
The facts are that three San Antonio email addresses were found among the 37 million profiles leaked, and a city worker in San Antonio committed suicide last week. The city hasn't commented on any connection, assuming one exists.
However, if you know your data is in the Ashley Madison archives and you feel suicidal, take a moment and talk to someone. The National Suicide Prevention Lifeline (800-273-8255) is staffed 24-7. There's also a website: http://www.suicidepreventionlifeline.org/
Investigation firm uses Ashley Madison fears to drum up business:
Trustify, a company that connects people to private investigators, is using the Ashley Madison incident as a marketing tool.
Late last week on Reddit, a user posted an email from the company, which informed them that they, or someone they know, "recently used our search tool to see if your email address was compromised in the Ashley Madison leak, and we confirmed that your details were exposed."
"There are ways to hide the exposed details, but first you need to see what information can be found across the web. Talk with our experienced investigative consultants to learn how you can find out what incriminating information is available and could ruin your life," the email continued.
Online, after using the Trustify search tool, users will also see the following:
"Because you’ve been exposed, you need to know exactly what kind of information is out there. This kind of information can affect your job, love life, mortgages, and anything else where a background check is required. However, to truly understand the extent of how much damaging information is accessible about you online, you need an expert who knows where to look and has access to special databases unavailable to the general public."
Users on Reddit and those commenting in other places, state that the company is promoting ambulance-chasing FUD, but it isn't clear if there have been any sales as a direct result of the search to marketing program.
The company posted a blog in an attempt to explain what they've done, but despite their excuses, it was made clear that "business is booming."
They also attempted to distance themselves from the ambulance-chasing argument:
"Before the Ashley Madison data was published on August 18, we were receiving a lot of requests in cheating investigations about it. People wanted to know if their spouse had an account, and was using the site to cheat. We weren’t able to answer that question for our customers before. We owe it to our customers to make the data available to them, if they ask."
Ashley Madison hackers admit to using valid processor credentials to obtain credit card data:
During an email exchange with Motherboard, Impact Team made an interesting admission concerning the financial data from ALM that was leaked to the public:
"They said they don't store CC [credit card information]. Sure, they don't store email either; they just log in every day to server and read. They had password to CC processor. We dumped from CC processor... They have payment processors. The payment processors store most of the credit card number and billing address. Like how Gmail stores their email. They can log in and look up transactions."
The first question that comes to mind is the name of the credit card processor. Who was compromised, and did the ALM account used expose other records or accounts due to a vulnerability of some kind on the processor's back-end?
Is there a PCI issue? Vinny Troia, Director of security and risk consulting for McGladery, said that if Impact Team got the card data out of the card processor, the situation would then fall under one of the grey areas of PCI.
"Whose responsibility was it?" he questioned.
"PCI requires that someone review all access to card data at least daily. So if someone pulled a report that had every user's card number in it, someone [at ALM] should have gotten an alert that it happened," Troia explained.
"The grey part would be if it was the [ALM] employee's responsibility to review that report and respond, or was it the card processors responsibility? Truthfully it is a bit of both, but I am sure that the card processor will be able to say they have no knowledge of [ALM’s] business practices, and wouldn’t know which reports were standard course of business and which were suspicious, so that will likely land on [ALM]."
A self-assessment form completed by ALM’s vice president and general counsel, Avi Weisman, noted that compliance issues were a concern of his. The assessment document was leaked by Impact Team last week.
In the form, when asked to describe what areas where failure to perform would hurt the most, Weisman said:
"Voids in understanding compliance and regulatory legal requirements in countries we operate in or are going to operate in. Anytime we have an issue with a regulator/government/legal or administrative body takes time, lobbying, resources, expertise, cost, etc..."
The follow-up question spoke to areas where he'd hate to see something go wrong, to which Weisman listed service availability issues, such as hacking or operational issues, as a concern, but also singled out "legal mishaps where we need to involve regulators, law enforcement, etc..."
Weisman also listed ongoing litigation as a concern, in the event he was removed from the world with no access to the company for three months. His concern in justified, as ALM is facing a $578 million class-action lawsuit due to the data breach.