First Line of Defense: Kissing and Telling: More Details Resurface About the Ashley Madison Hack

3 years ago
  • Html
  • Text
This message contains graphics. If you do not see the graphics, click here to view.
View the Web version.  
First Line of Defense
  Your regular source of security updates from TrendLabs
  September 13, 2015   Follow

Kissing and Telling: More Details Resurface About the Ashley Madison Hack

Forward Share


The Ashley Madison (AM) data breach, as far as data breaches go, is one of the most controversial to date. Not only is the website already controversial – being a dating website whose sole focus is to encourage extramarital relationships – but also how its breach came to be, i.e. through an ultimatum made by the culprits: either the company responsible for AM takes the website down or they would publish the data they stole online. Avid Life Media, owners of AM, refused to heed the culprits’ warning. Next thing we see is 10 GB worth of the website’s stolen data dumped into the deep web, exposing the entirety of their customer base in the process.

This leaked information, predictably enough, is already being used by cybercriminals looking to gain a quick profit. We recently received samples of what appears to be emails being systematically sent to the addresses found in the AM database.

  " While there are of course moral and ethical standpoints to consider in this particular breach, the fact remains that the privacy of many individuals has been compromised. "  
These emails range from extorting money to have the recipient’s name deleted from the deep web archive for the price of 1 BTC or US$230, to collecting donations for a class-action lawsuit against Avid Life Media. The most heinous type of this kind of email we received was an outright blackmail-letter type, in which the sender threatens to divulge the existence of the recipient’s AM account to their friends and families, again with a 1 BTC/US$230 price tag.

We note here that we received these emails because one of our honeypot servers somehow figured in the AM database, which is why we surmise that this is less of a personalized attack and more of a systematic one. As such, we also recommend to anyone unfortunate enough to receive similar email to ignore it and not pay a single cent – due to the simple fact that the released information cannot be edited or deleted in any way.

While there are of course moral and ethical standpoints to consider in this particular breach, the fact remains that the privacy of many individuals has been compromised. A company trusted by its customers failed to uphold their end of the bargain – to make sure that their personal information remains protected and away from the public eye. Not to mention that the AM paid service ensuring the complete and permanent removal of all traces of your having an account with them has been proven to actually be false as the remaining elements could still be traced back to an individual.

With our findings, we also discovered that anyone can be a victim of this breach. Because of the lack of a process to verify if the user making the AM profile is truly the owner of the email address they’re using, any address can be used without compunction or penalty. That means that anyone’s address is fair game, anyone can be blackmailed.

It’s a disturbing trend, and morality/ethics about extramarital relationships aside, we must recognize that this speaks a lot about how companies are treating our personal data. Are the hackers simply too good for today’s level of security, or are companies not doing enough to protect our personal information? The fact also remains that a data breach is still a data breach. No moral cause can change the fact that such a deed is still illegal.

Any organization/business that keeps customer information must take care of their users’ identity. They must also put a premium in securing user information so as not to endanger their privacy also. They need to realize that attacks are now the norm, no matter what size they are or what services they provide, and they will be a target sooner than later. On the other hand, users should also protect their digital lives by limiting the use of personally-identifiable information in their profiles.

For more information about the Ashley Madison hack, you can check out our previous articles about it here, here and here.


Security Spotlight

Rocket Kitten Continues Attacks on Middle East Targets

We catch up with the illicit activities of state-sponsored group Rocket Kitten since their misadventures with GHOLE malware and Operation Woolen-Goldfish last March.

Security for Home Users

A Midyear Look at the Email Landscape

We report on what’s happening on the email front for the first half of the year. Our findings include macro threats and ransomware in prominence, threats that can be found in emails as malicious attachments or links. Read on to find out why.

Security for Business

FTC Has Authority to Enforce Corporate Cybersecurity

In the US, the Federal Trade Commission (FTC) can now regulate the cybersecurity practices of businesses. Find out how this news will benefit users and companies.

© 2015 Trend Micro Incorporated




Share this newsletter on

Related newsletters

© 2019