Ashleymadison.com, the website known for its tagline, "Life is Short. Have an Affair," has 37 million users sweating bullets since hackers made off with the company's entire database. The hackers have started releasing names from the database, and plan to release more if Ashley Madison and its partner site Established Men aren't shut down. It looks like lots of people are suddenly in the middle of a very embarrassing situation.
User data from affair site Ashley Madison was stolen. So that's awkward.
Ashley Madison is a website and service that connects people in relationships who want to have an affair. Avid Life Media (ALM), the parent company for Ashely Madison, Established Men, and Cougar Life, confirmed the data breach and said it is hard at work tracking down suspects and keeping its customer data offline.
The data was stolen by The Impact Team—an individual or group that clearly has a bone to pick with ALM's properties. The Impact Team said Ashley Madison's US$19 service to completely delete customer profiles and all related information is a scam, and that it will continue to leak names until the site, along with Established Men, are shut down.
The Impact Team said,
Full Delete netted ALM $1.7mm in revenue in 2014. It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.
Subscriber names aren't the only bits of data The Impact Team plans to release. Addresses, sexual fantasies, credit card transactions, and more are all on the table.
ALM CEO Noel Biderman said the data breach was most likely from someone who at one point had legitimate access to the company's data. "We're on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication," he told Krebs on Security.
While Ashley Madison's customers aren't likely going to get much sympathy should their names and sexual fantasies get splashed on the Internet, it isn't our place to judge. Some people are no doubt using the site to carry on deceitful relationships, but others may be in open relationships where their partners know about the extra partners. In both cases, posting names takes a very private matter and makes it public, and inappropriately exposes people to ridicule and social judgement.
In other words, The Impact Team is essentially blackmailing ALM and its customers.
The big question is whether or not ALM really is retaining customer data after charging them $19 to delete it. The Impact Team says they are, and if true, that's a serious problem. At best, it's misleading.
ALM denied the allegation stating, "Contrary to current media reports, and based on accusations posted online by a cyber criminal, the 'paid-delete' option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity."
The company said it "hard-deletes" user's profiles, photos, and messages sent to other users of its service. As of now, the $19 fee has been removed so all subscribers can use the full delete feature for free.
Regardless of why The Impact Team decided to steal the data and use it in an attempt to shut down ALM properties, there are big questions as to how they managed the theft. Mr. Biderman said they know the person responsible for the breach was not an employee, but someone who had "touched our technical services."
In the end, it doesn't matter why The Impact Team wants to shut down Ashley Madison and Established Men. What does matter is that they were able to get records for 37 million people, and no matter how many take down notices ALM issues to websites, that database is no longer in their control. A lot of people are now facing the prospect of their personal lives becoming very public.
The irony is that, in the end, a site with a reputation for users who can't be trusted in relationships may have just lost the trust of those same people.