Time might have finally run out for Avid Life Media and the members of infidelity site Ashley Madison after a huge data dump of personal information amounting to nearly 10GB was posted on the Dark Web and various torrent sites.
The data dump is preceded by a brief message which claims the site is actually filled with thousands of fake female profiles, and the headline: “Time’s Up.” Included in the files are apparently names, addresses and phone numbers linked to member profiles along with credit card and transaction info.
Founding CTO Raja Bhatia, currently consulting at Avid Life Media, told Brian Krebs that his team has trawled through 100GB of fake data dumps since the hack was announced 30 days ago.
He added that the current leak could not be real because ALM never stored credit card information.
“We use transaction IDs, just like every other PCI compliant merchant processor,” he told Krebs. “If there is full credit card data in a dump, it’s not from us, because we don’t even have that.”
However, three vouched sources who spoke to the independent security researcher all found their card and personal info in the new data leak. The former apparently came in the form of the last four digits of the long number.
“I’m sure there are millions of Ashley Madison users who wish it weren’t so, but there is every indication this dump is the real deal,” he said.
Experts were quick to denounce the hackers and hold the case up as a cautionary tale for firms dealing in sensitive user information.
Keith Poyser, EMEA general manager at Accellion, argued that prevention always makes better business sense.
“Most importantly, cyber security must become part of any business culture and it must touch every segment of the work that a business does. Many businesses have solid network layer defences, asset layer management and protection, and personnel education on security,” he added.
“Yet, many more still use non-secured, public cloud services or leave their content with inadequate protection. Content is the new battleground. Cybercrime will only become more sophisticated and while web users will never feel completely safe, the onus is on the gatekeepers of their data to do everything in their power to keep it under lock and key.”
Webroot director, George Anderson, claimed the leak would result in “divorces, firings and blackmail.”
“There are no moral judgments on this except the immorality of hackers. So the ‘what now?’ is pretty nasty and the site users will probably be considering a class action for negligence,” he added.
“All companies, especially those dealing with proprietary information or customer data – must balance their security resources against their risk tolerance, and look at threat intelligence solutions that provide them with the greatest scope of protection.”
However, there was a word of caution from security consultant Graham Cluley, who argued that many of the men named in the database may not actually have been cheating on their partners.
“You might have joined the site years before when you were single and be shocked that they still have your details in their database, or you might have joined the site out of curiosity or for a laugh... never seriously planning to take things any further,” he explained in a blog post.
“But more importantly than all of that, if your email address is in the Ashley Madison database it means nothing. The owner of that email address may never have even visited the Ashley Madison site … Ashley Madison *never* bothered to verify the email addresses given to it by users.”