Ashley Madison, the infidelity-focused matchmaking site whose slogan is “Life is short. Have an affair,” was the target of a huge hack this weekend, and hackers are threatening to reveal data related to the accounts of millions of members.
The hack, which was reported by Krebs on Security, appears to have breached “sensitive internal data” from Avid Life Media (ALM), Ashley Madison’s Toronto-based parent company. The hacker or hackers, who go by the name “The Impact Team,” stole “maps of internal company servers, employee network account information, company bank account data and salary information,” in addition to information relating to 40 million users of Ashley Madison and its sister sites, Cougar Life and Established Men.
According to Krebs on Security, some amount of Ashley Madison account data has already been published online. In a message posted online, the Impact Team took credit for the hack, and threatened to publish more information every day until its demands — a complete and permanent takedown of Ashley Madison and Established Men — were met.
“We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online,” the hackers wrote. “And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
Ashley Madison, which drew national attention for its provocative ads, has become the largest online matchmaking site designed to facilitate infidelity. It’s safe to say that the vast majority of those users expected their profiles to remain secure and anonymous, and would be horrified if their names and other account details came to light.
The hacker (or hackers) appear to have been angered by a premium feature on Ashley Madison called “Full Delete,” which is advertised as a way to “remove all traces of your usage for only $19.” The Impact Team accused Ashley Madison of holding on to certain customer details even after a “Full Delete” was purchased, such as their names and addresses.
Noel Biderman, Ashley Madison’s CEO, confirmed the hack to Krebs on Security. He called the hack “a criminal act,” and said that the company was “working diligently and feverishly” to remove its customers’ extremely sensitive data from public view.
In a statement to Fusion, an Avid Life Media spokesperson said, “We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism.”
Update: tech blogger Robert Scoble has posted this boastful email from Ashley Madison, sent to reporters and bloggers in 2014, which touted the site as “the last truly secure space on the Internet.” Oops.