Billing itself as a dating site specifically for people in relationships who wish to have an affair, Ashley Madison was recently breached by an entity calling itself The Impact Team. A Gitlab user of the same name reportedly released a partial database dump containing members' personal information, including email and physical addresses and real names, though the dump was no longer accessible as of July 21st. In a message left on the site and since removed, the breacher claims to have "taken over all systems in [Avid Life Media (Ashley Madison's parent company)'s] entire office and production domains, all customer information databases, source code repositories, financial records, emails." The message lambasted ALM for charging its users a $19 fee to delete their account data while keeping their credit card purchase details including names and addresses on file, and threatened to release a complete database dump unless the company "shuts down" Ashley Madison and Established Men, another site it "owns".
Security researcher Brian Krebs broke the story, perhaps unwittingly kicking off a mainstream media circus which has focused on the subject of the site, stirring up a virtual lynch mob of supporters of the hack who praise the idea of "cheaters" being "punished" yet fall short of appreciating the exposure of ALM's bizarre claims supported by inexistent security. Coverage has similarly, and perhaps unsurprisingly, failed to take note of the attack's possible connection to Mircea Popescu's February release of Fetlife user data, which exposed similarly bizarre claims supported by equally inexistent security put forth by BitLove LLC's Fetlife dating site. Sadly, Krebs, an otherwise respected name in his field, has acted more like a Gawkerite than a researcher. Regurgitating his story, a glut of journalists-in-their-own-minds, who find themselves incapable of basic understanding of the events they propose to cover, have uniformly pointed to the March breach of AdultFriendFinder as a foreboding precedent. Notably, that breacher demanded a large ransom in United States Dollars, making any connection to the release of Fetlife or Ashley Madison user data coincidental at best.
Managing somehow to surpass the ignorance of his site's users and the nonjournalists who seek their approval is ALM's Chief Executive Noel Biderman. In a statement released July 20th, Biderman described the breacher as a "cyber-terrorist" and waxed vaguely about the "stringent security measures" he had in place, claiming that he had "invested in the latest privacy and security technologies," though no specific measures or technologies were referenced. Biderman further protested that his company worked with "leading IT vendors from around the world," an unqualified sentiment echoed by Joel Eriksson of Cycura, apparently hired by Biderman as a "security expert". Eriksson established his
security PR prowess by adding to the statement, "I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business."
These vagueries aside, the incompetence of Biderman, along with ALM's CTO Trevor Stokes, was at least in part established by "Microsoft MVP" Troy Hunt, who noted Monday that Ashley Madison returns distinct forgotten password pages depending on whether an entered email address corresponds to an Ashley Madison user profile. The presence of an account ennumeration vulnerability, present after ALM supposedly recovered access to their site and removed The Impact Team's message, and after Biderman's and Eriksson's insistence on their commitment to security, suggests that ALM lacks the ability and resources to provide their users with anything other than catchphrases. It remains to be seen if Biderman will gesticulate forward with previously announced plans to attempt a $200 million initial public offering in London later this year, and whether any appetite for his catchphrases will persist.