Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

ID Thieves, Blackmailers Have Lots To Gain In Ashley Madison Breach

Breach highlights need for greater anonymity controls in identity and payment mechanisms.

Unlike the perpetrators of the Sony and Hacking Team doxing attacks, who uploaded stolen data to Pastebin, the attackers who compromised online hook-up site Ashley Madison dumped data on the dark web -- which is only accessible via the Tor anonymization network. The dark web is someplace the average Internet user never goes, but a great deal of criminal activity takes place there, including child exploitation and assassins for hire.

Could this mean that the Ashley Madison attackers were deliberately trying to put the stolen data in the hands of people who would use it for blackmail? Robert Hansen, VP of WhiteHat Labs for WhiteHat Security doesn't think so.

"The hackers don't seem to be interested in blackmailing individuals," says Hansen. "It's more likely they just wanted to do everything over Tor."

Regardless of the attackers' intentions, Trustify, an online private eye service, has indexed the email database and created a site where people can plug in an email address and check whether or not it was among those leaked.

According to Hansen, the data dump includes 28 million unique email addresses. The lion's share use webmail providers -- topping the list are Gmail (8.77 million emails listed), Yahoo (6.62 million), and Hotmail (6.24 million). However, Hansen also found 13,000 .mil and .gov addresses, as well as a variety of corporate domains, including sizeable clusters from Microsoft, Apple, Cisco, Bank of America, and BP.

"I have found a bunch of fake entries in here, so all of this data should be taken with a grain of salt," says Hansen. "It doesn't appear that they normalized or even checked to make sure the emails were valid before storing them in this database. So, Barack Obama is in here under a dozen different emails as an example, as are a lot of others that are clearly incorrect.

"Even the allegations could ruin people's lives and careers," he says. "This is just a great example of how personal data becomes a liability for companies unless they can guarantee safeguards."

"This does open the door for blackmail," says Stephen Coty, chief evangelist at Alert Logic. "The fact that some companies have made [the stolen data] searchable to drive traffic to their websites just means that it will take the wind out of blackmail. If your spouse or significant other can easily search for this data on one of the many sites, then the effect of blackmail really isn’t an issue because they already know you were a member.

"Now there is the issue," says Coty, "of all the profile data and credit card transaction which would reveal the actual content and desires from their profile and the charges that were made to a credit card that maybe the significant other was not aware of might still be used. Just because you had an email address on the site does not mean that you participated, but the profile and credit card transactions might show otherwise."

“Undoubtedly, many of the emails and domains now published to the Dark Web are fake, but site users can’t run from the credit card information," says Jason Polancich, founder and chief architect of SurfWatch Labs. "The Ashley Madison site required it and, like everyone else, ties it directly to the individual user. This is a good reminder – the web is not anonymous. Credit card payments are not anonymous and this is a big flaw that banks are dealing with now. Attacks such as these will likely be a boost for Bitcoin and others like it. Times are changing and credit card privacy issues need to be solved. And I guarantee that won’t be accomplished with just Chip-and-PIN."

The attackers stuck ALM between a rock and a hard place: they could either shut the site down voluntarily or continue business as usual, wait for the attackers to leak the database, and see if that killed the business.

"The Ashley Madison breach paints a clear picture of how a single breach can be the death of a company," says Carl Herberger, VP of security solutions at Radware. "If this isn’t a very loud wakeup call for any company with a business model that relies on user data and e-commerce, then I would struggle to figure out what is. Online businesses cannot successfully exist without the highest security precautions and protocols and keen prowess at operational secure discretion. A hack of this magnitude can happen to any organization, and it's time for the enterprise to assume that it will, and make the necessary plans to navigate through that eventuality and come to terms of all of the key steps required to avoid it."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
8/20/2015 | 7:28:40 AM
Hard to imagine
I find it hard to believe that many people will use Ashley Madison after this. While the site may continue to operate afterwards, who is going to use a service that demands secrecy, that cannot protect user data? It's good passwords were encrypted, but the fact that so much data is in the open and the fact that ALM didn't delete data after people paid for that to happen... I don't see it bouncing back. 
User Rank: Apprentice
8/20/2015 | 10:42:48 AM
Cybersecurity and the Intelligence Community
Grace and Peace;

My name is Michael, I am a researcher of IT. I hold a Bachelor's of Science with a Specialization in Visual Commuications...Please, do not be alarmed at my presenting my credentials its that I have really no other life outside of maybe, you too, trying to solve pressing issues that affect America. You do write quite well and have the appearence of some knowledge that could change the tide for the crooks.

I am with you. I am currently writing a report on Cybersecurity, the Intelligence community, and You: report two. As well I would like you to know from me that no matter what you do or run accross - do not give up. We are in this together. I really needed to read your article...Your article! Thank you! And keep the pace rigorous as we have been taught!


There is no time like the present,

M. Carter BS IT/Visual Communications
User Rank: Ninja
8/20/2015 | 2:41:30 PM
Re: Hard to imagine
I agree, but one thing I was not aware of on this site is that not all the users on Ashley Madison are the unfaithful type. Some are just singles looking to find other singles with similar fetishes. However, not being a user of the site the data I am going off of is referenced here:


This fact alone may save them.
User Rank: Strategist
8/20/2015 | 5:54:12 PM
Re: Hard to imagine
Avid Life Media's website home page has a tagline "Learn more about Noel Biderman." According to an Ars Technica article today, we may indeed learn more about the parent company's CEO - as some 19GB of his emails have now been dumped as well.

It looks like the Sony breach opened some eyes as to what is possible nowadays, and it looks like it will become more common to lie low and collect all that you can for a while. Instead of just hack-n-grab like what was common before. 

In the era of Big Data, perhaps storing credit card numbers, all manner of personal details repurposed as security questions, and emails in perpetuity isn't all it's cooked up to be - anymore.

Would be interesting to cross this db with the OPM db?

The only way AM comes back from this - is as a voyeur site <grin>.
User Rank: Ninja
8/21/2015 | 3:58:30 PM
Re: Hard to imagine
What I find hard to believe is that anyone can be blackmailed with information that is already in the public domain.
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master &Atilde;&cent;&acirc;&sbquo;&not;&acirc;&euro;&oelig; Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.