The online cheating site AshleyMadison.com, which has nearly 37 million users and encourages committed spouses to "have an affair," has been hacked.
Brian Krebs, of the cybersecurity blog Krebs on Security, first reported the breach last week and said that large caches of user databases and financial records belonging to the website's parent company, Avid Life Media, were compromised. ALM also owns the hookup sites Cougar Life and Established Men, according to Krebs on Security.
Image source: AshleyMadison.com
“We’re not denying this happened. Like us or not, this is still a criminal act."ALM CEO Noel Biderman said, adding that the company is "working diligently and feverishly” to remove information from its websites.
The individual or group responsible for releasing the private information wrote in an online manifesto next to the stolen data that it did so in response to the alleged lies ALM told its users – that they can pay $19 and have their information completely erased from their profiles.
The "full delete" feature reportedly promised users “removal of site usage history and personally identifiable information from the site." But the hackers claim that just isn't true, and that personally identifiable information such as names and addresses aren't really taken down, despite ALM raking in nearly $2 million from "full delete" fees just last year.
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online," read the hacker or hackers' threats.
Additionally, the individual or group threatened that it would keep releasing more user information for each day the websites remained online. In a statement released the same day the hack was first reported by Krebs on Security, the company said that it had secured its websites and closed any "unauthorized" access points.
"We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyberterrorism will be held responsible," the statement read. “Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security...we will continue to be a leader in the services we provide."
Biderman said he suspects that whoever is responsible once had legitimate access to the company's networks, either as a former employee or contractor.
Without giving any more specifics, he added, “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
As Krebs noted, the online manifesto appears to support that theory, since whoever stole the information was apparently familiar with one of the company's top officers, the director of security.
"Our one apology is to Mark Steele. You did everything you could, but nothing you could have done could have stopped this," the message reads.
The breach occurred less than three months after more than 3.5 million users' personal information was stolen from the website Adult Friend Finder. While Adult Friend Finder isn't intended solely to facilitate communications for spouses seeking to have extramarital affairs, the stolen data could indicate which users are married and which ones aren't, Gizmodo reported.
(H/T: Krebs on Security)
Follow Jon Street (@JonStreet) on Twitter