For months, my Slate colleague Jordan Weissmann has been saying that online affair-facilitator Ashley Madison was going to get hacked. “It just seems like an obvious choice,” he would say. And he was totally right! On Sunday, KrebsonSecurity reported news of an extensive breach.
With a slogan like “Life Is Short. Have an Affair” and 37 million users, you can see why Ashley Madison's data might be tempting for hackers looking to wreak some havoc. The culprits are calling themselves “the Impact Team” and say that if Avid Life Media, which owns Ashley Madison, doesn't take the site down, they'll leak all of the data they collected on the service's servers.
But this isn't (just) about a moral objection to cheating. The Impact Team hackers assert that Ashley Madison's “Full Delete” feature, which claims to remove all identifying data from company servers for $19, doesn't actually work. Krebs reports that the Impact Team wrote in a manifesto, “Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
Not that the hackers are exactly on the side of Ashley Madison's users. “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the group wrote. There's some irony in outing the injured parties whom you're simultaneously trying to defend, but the hackers seem more interested in making a general point about services that claim to erase user data.
In a statement, Avid Life Media said:
We apologize for this unprovoked and criminal intrusion into our customers’ information. ... We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place ... At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.
Ashley Madison's data is even more valuable than what comes out of the usual hack because it's identity theft fodder plus information about who has cheated or considered cheating on a partner and what people's sexual preferences/fantasies are. But the site's privacy setup wasn't exactly stellar before. As developer Troy Hunt showed on his blog, the forgot password feature of Ashley Madison returned a slightly different screen depending on whether an email address was registered with the site. If you wanted to check whether your spouse was on the site, you just had to enter some of his or her addresses.
Of course, if Ashley Madison's users were smart enough to make special dummy email addresses for digital indiscretions, you wouldn't be able to catch them this way, but it's still a big privacy hole, and let's be honest, most people aren't that wily. Hunt told Motherboard that the password reset mistake is a privacy oversight on a lot of sites. “Unfortunately it's all too common. ... I would have been surprised if they'd done it right. I'm saddened, but not surprised,” he said.
Though the Impact Team may have gone about making its statement in a contradictory and, you know, illegal way, it's a good reminder that when a company says it will delete your data, you don't exactly get to watch its physical destruction. It's hard to check that your info has actually been removed. So if it's something that your reputation can't survive, you might not want to trust a service with it in the first place.