Customer data from popular dating site Ashley Madison used by those seeking extramarital affairs has been the target of a huge hack of the weekend.
The hacking group "The Impact Team" have claimed responsibility for the hack and have already started posting users' personal data online, potentially revealing damaging information of up to 37 million users on the site.
The hack was first reported by KrebsOnSecurity (opens in new tab), and the group responsible have claims to have breached the databases of Avid Life Media (ALM), the company that owns Ashley Madison.
Alongside the leaked personal information, "The Impact Group" have posted a manifesto. Within the manifesto, the hacking group revealed that they decided to publish the confidential material in response to an alleged lies ALM told its customers about a $19 fee for destroying their profiles completely.
The manifesto read:
"Full Delete netted ALM $1.7 million in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."
The manifesto also went on to say that;
Trevor, ALM's CTO once said "Proection of personal information" was his biggest "critical success factors" and " I would hate to see our systems hacked and/or the leak of personal information."
For a company that was for obvious reasons, obsessed with the security of their site it has come as a major blow especially since the company had voiced plans for an initial public offering in London later this year, in the hope of raising $200 million.
The security breach has been strongly suspected of being an inside job. ALM CEO Biderman has stated that " it was definitely a person here that was not an employee but certainly had touched our technical serivces."
Biderman also suggested that one of the reasons that the mass publication of data went ahead was because they are "on the doorstep of [confirming] who we believe is the culprit". One piece of evidence that supports this theory is a section of the manifesto that sends an apology to the Director of Security Mark Steele that states "you did everything you could, but nothing you could have done could have stopped this."
The investigation is still on-going and is described as fast-moving, and Biderman has declined to discuss the specifics of the company's investigation. This of course will be little help to the significant number of people are about to have a very bad day.
Chris Boyd, Malware Intelligence Analyst, Malwarebytes has commented: "Sites like Ashley Madison are treasure troves of very private information, for those willing to invest the time an effort required to compromise them.
In an age where people should be keeping their secrets as close to their chest as possible, it may not be the best decision to use websites and services which effectively shout "potential embarrassing information lies within" from the rooftops.
"With so many ways to exploit this data dump, from blackmail to trolling, it was always going to be a potential disaster waiting to happen - and with up to 37m people facing their information being laid bare, it's going to be quite a nervous start to the week for many."
UPDATE: ALM have further issued this statement:
"Following the earlier unprovoked and criminal intrusion into our system, Avid Life Media immediately engaged one of the world’s top IT security teams to take every possible step toward mitigating the attack.
Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the all posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online. We have always had the confidentiality of our customers’ information foremost in our minds and are pleased that the provisions included in the DMCA have been effective in addressing this matter.
Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available."