'Nobody was watching,' say Ashley Madison hackers

Read time 6min 10sec

Cyber criminals who stole a trove of sensitive data from said "nobody was watching" as they scoured the infidelity Web site and vowed to release more e-mails from its executives, technology Web site Motherboard reported on Friday.

The tech site said it was given a contact e-mail address for the hackers, who call themselves the Impact Team, by an intermediary. The hackers replied with a message signed with the same signature and fingerprint, known as a PGP key, posted with the Ashley Madison data releases this week, Motherboard said.

"We were in Avid Life Media a long time to understand and get everything," the Motherboard quoted the hackers as saying. "Nobody was watching. No security."

David Kennedy, founder and security consultant at TrustedSec, said the latest download, which was released with the warning "Time's Up!", appears to be authentic.

"We have explained the fraud, deceit and stupidity of ALM [Avid Life Media] and their members. Now everyone gets to see their data," the hackers said in a statement.

Impact Team had threatened to publish names, nude photos and sexual fantasies of customers unless Ashley Madison and Established Men, another site owned by Avid Life Media, were taken down. Representatives of Avid Life Media could not immediately be reached for comment.

Cyber security experts said data dumps on Tuesday and Thursday by the group appeared to be genuine. Tuesday's release had customer information that included US government officials, British civil servants and high-level executives at European and North American corporations.

Motherboard reported that in its exchange with the hackers, they said they had 300GB of employee e-mails and internal documents, "tens of thousands of Ashley Madison users' pictures" and user chat messages from the site. On Tuesday, hackers released 10GB of data.

Cyber security experts have said they expect more staged releases of sensitive information.

Keep it to yourself

Larry Flynt, a defender of free speech and sexual freedom, has this advice for anyone worried by the hack of infidelity site Ashley Madison: muzzle yourself.

"Don't do or say anything you wouldn't want to read about on the front page of the New York Times," said the founder of Hustler magazine and owner of businesses that sell sexually explicit videos online.

It might be too late for many people who, lured by a supposed cloak of digital anonymity, have shared their innermost wishes, fetishes and fantasies on hook-up and porn sites. And those companies know their digital troves of secrets are exactly what make them a target for emboldened hackers.

In exposing the Ashley Madison accounts of as many as 37 million users, hackers released a cache of potentially embarrassing and damaging data. The dump contained e-mail addresses for US government officials, UK civil servants, and workers at European and North American corporations, taking already deep-seated fears about Internet security and data protection to a new level.

"This represents a scary precedent" because of the scope and depth of intrusion into people's private lives, said Ajay Sood, Canada general manager at cyber security company FireEye/Mandiant. "Ashley Madison wasn't the first, but it's the one."

The data dump made good on the hackers' threat last month to leak customers' nude photos, sexual fantasies, names and credit card information from the Canadian Web site with the slogan, "Life is short. Have an affair."

The hackers, who have not been identified, appear to bear a grudge against the company and want to undermine it by exposing users to public scrutiny.

The prospect of attacks by non-financially driven hackers pursuing publicity, blackmail or moral judgments sends shivers through the online dating and sex industry.

Reports that blackmailers armed with the data dump are contacting Ashley Madison members for extortion will reinforce concerns. For the online adult entertainment segment, which accounts for more than 10% of Internet traffic, the trend is particularly worrisome.

"I don't know anyone that's prepared for something like this," said Joanna Angel, a famous punk porn entrepreneur who owns and sells adult films on the Web site Burning Angel.

'Trade in secrets'

The online sex industry has long been aware it is more vulnerable to a cyber attack than most companies because some people find it offensive. It also thrives on ensuring privacy.

As a result, it has toughened up its defences over the years, as global retailers and health insurers have fallen victims to hackers. The problem is, security experts say, there is very little else they can do to keep hackers out.

"There are always extra layers of security," said Diane Duke, chief executive officer of the Free Speech Coalition, the trade association for the adult entertainment industry. "However, you build a widget; someone breaks it."

Angel, 34, who has starred in and directed hundreds of films, believes she has robust security on her site, but worries it may not be enough to ward off ever-more sophisticated hackers.

She hired outside experts to run her online security after hackers shut her site down for five days, costing her money and, temporarily, customers.

Angel said the Ashley Madison affair and release of people's names might curb customers' willingness to disclose personal information, although she had not seen any evidence of this.

"It could end up affecting a company like mine," she said. "It will make people more paranoid."

The Ashley Madison hack is the second high-profile attack on a no-strings attached solicitation site this year. In March, Adult FriendFinder was the victim of a massive data breach, with hackers publishing details of four million subscribers on the Web.

Adult sites, among the first Internet companies to accept credit card payment, tend to have robust security to combat fraud. But their systems for securing non-financial client data are not as strong, cyber experts said.

One large cyber security provider has seen an uptick in business from companies that "trade in the secrets" of clients, an executive said.

"It's hard for these types of companies to see what's going on and not want to take a closer look at their security," said the executive, who was not authorised to publicly discuss client enquiries.

Many have already hired top-class security talent to keep tabs on their Web sites, said Mikko Hypponen, chief research officer at Finland-based cyber security company F-Secure.

And users are probably getting wiser about using work e-mail addresses, posting risqu'e photos or divulging potentially embarrassing information on dating sites, he added.

Flynt, who fought in the courts for freedom of speech, said anyone surprised at the invasion of people's privacy is naive.

"Privacy no longer exists," he said, "and it hasn't for some time."

See also