Ashley Madison data breach leads to $11.2m settlement

17/07/2017:The parent company of extramarital dating site Ashley Madison committed to pay $11.2 million to 37 million former site users on Friday, who are suing it after a hack leaked their personal details in a data breach in July 2015.

Ruby Corp, which was previously known as Avid Life Media, denied any wrongdoing as part of the settlement, according to CNBC.

The leak reportedly led to people committing suicide, as well as leaving those whose details were exposed open to blackmail.

Hacking group The Impact Team released thepersonal information of 37 million of the website's usersafter Avid Life Media ignored its demand for it to take down Ashley Madison and similar sites it owned.

At the time, The Impact Team said: "Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data."

Ruby Corp was forced to spend millions improving its security and privacy measures, and the breach reportedly cost Ruby Corp more than a quarter of its revenue.

Victims can be awarded up to $3,500 depending on how well they can prove that any losses they experienced were linked to the breach, CNBC reported, addingthat lawyers for Ashley Madison may receive up to one-third of the $11.2 million pay out to cover legal fees.

Ruby Corp has told IT Pro that it will not be providing a comment as the court case is still ongoing.

05/07/2016: Ashley Madison's parent company is being investigated by the US Federal Trade Commission, after last year's catastrophic hack revealed that the company used chatbots and fake profiles to entice customers.

Avid Life Media yesterday revealed the appointments of CEO Rob Segal and President James Millership, who confirmed that the extramarital dating site has five male users for every one female in an interview with Reuters.

The gender imbalance was first revealed during a massive cyber attack in August 2015, which leaked the personal data of up to 37 million prospective cheaters online.

An Ernst and Young report commissioned by ALM itself confirmed that the company was using AI chatbots, who posed as available women to keep male members engaged with the site.

The practice had been discontinued worldwide by late 2015, but Segal confirmed that the issue is "part of the ongoing process" and is "with the FTC right now".

Although ALM told Reuters that it does not know the specific subject of the investigation, similar practices earned another dating site a fine of over $616 million from the FTC in 2014.

Segal also revealed that the company still has no idea who carried out the attack or how they did it. However, Robert Masse, who leads the Deloitte experts hired to shore up the company's security in the wake of the attack, told Reuters that his team found "simple backdoors" into the company's servers.

In addition to investing in increased security, the company is also looking to patch up its shattered reputation by pivoting away from infidelity and illicit affairs, with Segal adding that "the Ashley Madison brand can be repositioned".

05/02/2016:Cheater's dating website Ashley Madison has countered privacy concerns by allowing users to mask their profile pictures.

The company was hit by a catastrophic hack last summer, when intruders released the personal information of 37 million of its adulterous clients.

It has now taken new steps to prevent users of the site from being identified. "We respect your need for discretion," the site says, "so we've added some tools to keep your identity a secret".

Users can add a Zorro-style 'domino' mask in either black or brown, or blur out the photo. They can also add a black bar over the eyes to redact their identity.

The new feature has attracted criticism on social media, where some have noted that it makes users look like criminals.

It's also baffling on a number of levels. Not only does obscuring your identity complete defeat the purpose of adding a facial profile picture in the first place, it also does nothing to address the more pressing concern that the site may be hacked again.

Parent company Avid Life Media has yet to announce any further security improvements since hackers ran rampant on its network, which may continue to worry users.

30/12/2015: Ashley Madison has revealed that its subscriber numbers are up significantly, despite reports many of its users have been blackmailed by the hackers that leaked member details.

Recent figures displayed on the website reveal 43.4m people are now members of the site, up from 37m when the dating site was first hacked in August. The achievement is surprising, considering information about up to 32m users were circulated around the internet at the time.

However, a spokesperson for Avid Life Media, the parent company of the site that encourages adultery, refused to comment on why it thinks user numbers have increased and it would not be making any further comment in future.

Whether the numbers reflected on the homepage of the website are real cannot be proven, although the company did say at the time of the attack that its user numbers hadn't been affected and actually, the ration of men to women had not changed as a result of details being leaked.

Earlier in December, it was revealed Ashley Madison users had been receiving blackmail threats in the post.

15/12/2015: According to IT security expert Graham Cluley, readers of his bloghave received letters in the post demanding money to prevent their details on the hacked website being exposed to others.

"I just received a physical postal letter to my house asking for $4167 USD or exposed my AM account to people close to me. is your advice the same as in your vid about email blackmail?" said the reader.

Cluley said, in this case, it was very likely that the blackmailers were "trying their luck, hoping that a small percentage of those targeted will pay up."

Cluley added that he couldn't see what the blackmailers have to gain from going through with their threats.

"Because, if they tell people close to you then they are ruining any chances that you willeverpay up. Think of it from their point of view. It's a dumb business model.

"In fact, the only scenario I can imagine that might make sense for the blackmailer to go through with their threats is if they are specifically targeting you and aren't being primarily incentivised by the money, but a personal issue with you instead. In which case paying the money may not help anyway," said Cluley.

He said that any victims should report the matter to the authorities and request discretion.

"If the police are to successfully build a case against someone they will be looking for evidence like this."

14/09/2015:Amazon Web Services (AWS) and GoDaddy are no longer defendants in an Ashley Madison lawsuit attempting to force websites to delete information about users of the infidelity dating site.

The complaint from three anonymous plaintiffs, all termed John Does, from California, New Jersey, and Maryland,has been issued against 20 unnamed defendants, all called John Roe numbers 1-20, who offer access to customer details contained in last month's leak, which put the details of 33 million Ashley Madison users on the dark web.

However, both AWS and GoDaddy are no longer listed alongside the 20 John Roes after being dismissed without prejudice last week, according to The Register.

The lawsuit will continue to attempt to force the remaining 20 defendants who the prosecution cannot identify to delete the details of the three Ashley Madison users who are plaintiffs in the case.

They "have been gravely affected by the stolen data and are now subject to threats and extortion", claims the complaint.

Prosecutors have applied for a Temporary Restraining Order (TRO) against these 20 defendants' websites, which the complaint claims is justified by the plaintiffs' probably chances of success.

However, one of the sites allegedly belonging to the defendants, adulterysearch.com, released a statement in response to the lawsuit.

It read: "It has come to our attention that the anonymous plaintiffs in the Arizona lawsuitare seeking a temporary restraining order to shut down this website and others, citing "ongoing exposure to irreparable injury"if their information is made available to those who wish to see it.

"The legal arguments in the application for the TRO are weak (for example, theplaintiffs have not demonstrated success on the merits for a variety of reasons). Nonetheless, if the plaintiffsidentify themselves to us, we will remove their information from the database we use. This will negateany alleged "ongoing" harmpending the resolution of the litigation, which we are confident will be in our favor."

01/09/2015:Hundreds of thousands of people joined infidelity dating site Ashley Madison last week, its owner has claimed, despite hackers spilling the details of 33 million users online.

The overall unspecified figure included 87,596 women, parent company Avid Life Media said in a blog post, writing: "Despite having our business and customers attacked, we are growing".

Women users of the site sent 2.8 million messages last week, ALM added, in a blog entrysuggesting the business is garnering interest in spite of a controversial hack which led to suicides and lawsuits against the company.

It read: "Furthermore, in the first half of this year the ratio of male members who paid to communicate with women on our service versus the number of female members who actively used their account (female members are not required to pay to communicate with men on Ashley Madison)was 1.2 to 1."

28/08/2015: Ashley Madison CEO Noel Biderman has left the company after 33 million customer details were hacked and posted online.

A statement released by the infidelity dating site's owner, Avid Life Media (ALM), said the decision was mutual, adding: "This change isin the best interest of the company and allows us to continue to provide support to our members and dedicated employees. We are steadfast in our commitment to ourcustomer base."

The leaked information has resulted in suicides and lawsuits against ALM as the fallout from July's cyber attack continues.

With ALM offering a 240,000 reward for information on the hackers belonging to Impact Group, which claims to be behind the data leak, the company reiterated its intention to catch those responsible.

"We are actively adjusting to the attack on our business and members' privacy by criminals. We will continue to provide access to our unique platforms for our worldwide members," the statement read.

"We are actively cooperating with international law enforcement in an effort to bring those responsible for the theft of proprietary member and business information to justice."

The existing management team of ALM will continue running the company until a new CEO is found.

25/08/2015:The drama surrounding the Ashley Madison breach continues, as it now emerges that the CTO may have hacked competitors prior to ALM being hacked itself.

Security expert Brian Krebs highlighted an email correspondence between CEO Noel Biderman and ex-CTO Raja Bhatia, released as part of cybercriminal group Impact Team's catastrophic hack last month, which resulted in 33 million users' details leaking online last week.

The emails reveal that founding executive Bhatia discovered a security flaw in rival site Nerve.com, which allowed him widespread access to the site's back-end operations.

Bhatia stated that he could "turn any non-paying user into a paying user, vice versa, compose messages between users, check unread stats, etc", and claimed that Nerve "did a very lousy job building their platform".

The trove of emails also contains further evidence that ALM executives were aware of certain security vulnerabilities before the hacks even took place.

Security director Mark Steele the only person that Impact Team has thus far apologised to noted just months before the attack that "our codebasehas many (riddled?)XSS/CRSFvulnerabilities which are relatively easy to find".

He also mentioned that "other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging".

These emails lend weight to claims that ALM did an inadequate job of protecting itself and its users' data claims that have seen one disgruntled customer pursuing legal action.

A Californian man is suing ALM for negligence and claims he suffered emotional distress' as a result of Ashley Madison's breach.

The suit seeks unspecified damages, and is aiming to be deemed a class action'. It's the latest in a string of consequences from the breach, with police reporting that two Canadians have taken their own lives following the Ashley Madison attack.

Although Toronto police wouldn't give further details about the two deaths linked to the hack, acting staff superintendent Bryce Evans issued a statement to the hackers, saying: "I want to make it very clear to you your actions are illegal and we will not be tolerating them. This is your wake-up call."

Avid Life Media is now offering a 240,000 reward for any information about the identity or whereabouts of the criminals involved while the Toronto police department has set up a Twitter account @AMCaseTPS and hashtag #AMCaseTPS for anyone with any information about the attack to share it.

US Magazine reported that one of the victims was Captain Michael Gorhum who had been working for the San Antonio Police for 25 years. This has not been confirmed by official sources.

Extortionists have already begun targetting Ashley Madison users, according to security researcher Brian Krebs.

As reported by Krebs on Security, users whose data was stolen in last month's hack and posted online last week are being targeted with blackmail threats from opportunists who threaten to expose their membership of the site if they do not pay up.

One user known only as Mac told Krebs: "They have my home billing address and first and last name, so it would be relatively easy for them to get my home records and figure out who I am.

"I'll accept the consequences if this does get disclosed, but obviously, I'd rather not have that happen because my wife and I are both very happy in our marriage."

This will continue to happen, said Tom Kellerman, chief cybersecurity officer at Trend Micro, and could also grow to include widespread ransomware attacks.

"There is going to be a dramatic crime wave of these types of virtual shakedowns, and they'll evolve into spear-phishing campaigns that leverage crypto malware," he said. "The same criminals who enjoy deploying ransomware would love to use this data."

Lawsuit

Two Canadian law firms have filed a 367 million joint lawsuit against Avid Dating Life and Avid Life Media, the companies behind Ashley Madison, on behalf of a number of former users, following Impact Team's posting of 32 million users' details onto the dark web.

"Numerous former users of AshleyMadison.com have approached the law firms to inquire about their privacy rights under Canadian law," Charney Lawyers and Sutts, Strosberg LLP said in a joint statement.

"They are outraged that AshleyMadison.com failed to protect its users' information. In many cases, the users paid an additional fee for the website to remove all of their user data, only to discover that the information was left intact and exposed."

However, the companies said action will not be taken against Impact Team, the hackers who stole and later released the source code of the site.

Source code leak

The news comes less than a week after the cybercriminal collective behind theAshley Madison hack leaked the extramarital dating site's source code, clearing the path for other hackers to attack the site's parent company.

Impact Team's second file dump in three days afterstealing 37 million customer records in Julyalso includedwhat appears to be a file containing the email correspondence of CEO and self-proclaimed "king of infidelity" Noel Biderman, but it was corrupted and unreadable.

However, by releasing what initially looks like the complete source code repositories for all the websites owned by Ashley Madison's parent company, Avid Life Media (ALM), other cyber criminals can identify flaws and vulnerabilities at their leisure.

Chris Boyd, malware intelligence analyst at Malwarebytes, was less than optimistic about the potential consequences for ALM and its other sites, Established Men and Cougar Life.

"The leak of the source code spells more bad news for Ashley Madison," he said. "It could result in more deep-dives into their infrastructure and anything else they're desperately trying to retain control over."

"The only real good news they've had is that the personal communications of their CEO have apparently been damaged in the leak", he added, before noting that "this is likely small consolation to the many affected users of the site caught in the fallout".

This new leak indicates that Impact Team is not content to merely damage Ashley Madison they want to destroy it entirely, along with its sister sites.

The most recent infodump weighed in at 20GB twice the size of the file released on Tuesday, 18 August containing up to 32 millioncustomers'details.

This suggests that Impact Team may have access to an almost limitless amount of information and that these leaks could even escalate in size and severity.

The latest attack comes just two days after the identities of millions of potentially cheating spouses were exposedonlineby Impact Team.

The group threated to post the data if Ashley Madison wasn't shut down immediately, along with sister sites like Cougar Life and Established Men owned by Avid Life Media.

Almost exactly a month after that warning, Impact Team delivered on its threat, posting an information dump of almost 10GB to the dark web and file-sharing sites, thought to contain the details of 32 million users of Ashley Madison.

"Avid Life Media has failed to take down Ashley Madison and Established Men", Impact Team wrote as part of the release.

"We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data."

The file contains the personal details, email addresses and payment information of at least 30 million users, with some putting the number as high as 37 million.

Thousands of email addresses appear to belong to public sector officials, including thousands of .gov domains, butindependent security adviserPer Thorsheimpointed out that Ashley Madison does not require any form of email verification during sign-up.

This means it is virtually impossible to ascertain whether or not the addresses actually belong to who they seem to - likely, many do not.

Security analyst Graham Cluleyadded: "I could have created an account at Ashley Madison with the address ofbarack.obama@whitehouse.gov, but it wouldn't have meant that Obama was a user of the site."

Thorsheim and others have also warned that widespread dissemination of the details contained in the leak could lead to extreme consequences, up to and includingsuicide.

For example, it's not made clear how recently, or how often, an account was used. There's no distinction within the file between prolific serial adulterers and those who signed up once just to see what it was like.

Impact Team has also qualified the release by saying that "90-95 per cent of users are male. Chances are, your man signed up on the world's biggest affair site, but never had one. He just tried to".

Other security experts condemned Impact Team's actions, with George Anderson, director of the cybersecurity firm Webroot, saying:"Whilst readers' morals may conflict either seeing this group of hackers as good or bad guys, the fact remains that the Impact Team illegally obtained sensitive personal info.

"I'd imagine the fall-out is divorces, firings, and blackmail really personally malicious and upsetting stuff. There are no moral judgments on this except the immorality of hackers."

He also noted that "what's more worrying is what they are not releasing and instead using as blackmail. I don't think this is just a sophisticated kiss n tell'".

Security expertBrian Krebsand others have reportedly verified the dump through anonymous sources who found their data in it.

Phishing attacks

The widespread release of email addresses could lead to a deluge of phishing attacks, warned Barracuda Networks, where users used their own emails or others used real email addresses that were not their own.

Wieland Alge, VP and General Manager EMEA, said:"With a number of users signing up with work email addresses, phishing attacks could be launched against users via these accounts, meaning government and corporate networks are at risk.

"Having access to the data could allow the hackers to build a detailed profile of their target and create a very specific attack. After building the profile, the attack is likely to come from a 'trusted source' and this makes the chances of a successful attack considerably higher."

Cyber security firm Blue Coat warned blackmail will rear its head too.

Its cyber research team said in a statement: "Not all of the personal data of Ashley Madison users has been released, therefore cyber attackers may go directly to the management, or to the individual users of Ashley Madison and ask for a payment for the release/deletion of personal data. Blackmail can also happen through non-financial means by coercing victims into working with the attackers as an insider."

Ashley Madison response

A spokesperson from Ashley Madison said: "This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.

"The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world."

This news story was first written on 21/08/2015), but has been updated to reflect recent updates in the story, most recently (05/02/2016).

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.