12-Jul-15:
The website's parent company called ALM (Avid Life Media) had been hacked. Employees first learned of the intrusion when they arrived at work and powered on their computers, to be presented with the initial message from the "Impact Team" - the hacker group that has claimed responsibility for the breach.
The news broke about, and as expected, there was a wide spread fear, among the impacted ~37M users. The original leak:
Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, companye c bank account data and salary information.Hackers also claimed that the company had lied, when they sold a service called "Full Delete", which was supposed to purge all user details.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”The demand from the hackers:
“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”Sounds like a "Robin Hood" of hackers, no? A good for the society, with no personal gains - No BTC demands!
18-Aug-15:
The company decided not to give in to the demands. And the hackers leaked what was promised (tech links). So, what happens now?
- There are numerous websites now offering services to search for your spouse and friends, to see if they were using the website
- We now have bad guys harassing the victims (for a lack of better word), and starting an extortion / blackmail program
- We also have two suicides, which could (not confirmed) be due to this disclosure
- The ALM company has been taken to court, by the users, and face a class action law suit
- The CEO of the company stepped down, over all this controversy
- Some big names got exposed via this hack.
24-Aug-15:
The company announces a $500M bounty, for the person who is able to help find the culprit in this hack. At the same time Kerbs feels a twitter user Thadeus Zu (@deuszu) could be responsible.
The company used all the right protocols for hashing and salting their passwords. However, poor implementation causes over 11M hashes to be cracked.
15-Dec-16:
Ashley Madison settles the lawsuits for $17.5 M. Interestingly at this point of time, it can only afford to pay up about 10% of this. Plus they will have a whopping 20 yrs of govt oversight to ensure network security.
No comments:
Post a Comment