‘Thou shall not cheat’ – said the hacker

Our self-created digital world allows us to shift a lot of our daily lives onto the internet. We do our financials online, we shop online, we even date online. It isn’t strange that with the increasing connectedness that the internet provides us there is a market to connect people who are looking for a partner. A comparable, but maybe more disputed market is one that provides online platforms for extra-marital affairs. There are several sites that offer the means for people to join and meet other people who are looking for the same thing. Not surprisingly, there are people who aren’t too happy about these sites, including people with very sophisticated hacking skills. An example is the Ashley Madison hack, which is a rather high profile case. A group of hackers called ‘the Impact Team’ directed an attack towards Avid Life Media, Inc., owner of Ashley Madison. Here’s what happened.

The site Ashley Madison presents itself as platform that enables a way to have an affair. Its earning model isn’t based on subscription fee, rather users of the site had to purchase credits in order to chat with other users. The site promised full discretion, which also meant deleting the credit card information of its customers and giving the option to have your account completely deleted (against payment, of course). It appeared to be every cheater’s dream. However, hackers collective ‘the Impact Team’ showed another side of this site.

On July 12th 2015 employees of Avid Life Media (ALM) received a message from the Impact Team, revealing private customer records were stolen by the hackers. They threatened to leak the information which included the personal data of 37 million users of Ashley Madison. Accompanied by AC/DC’s ‘thunderstruck’ the message stated that Ashley Madison had to be shut down or otherwise the information of all its clients including their sexual fantasies, nudes, conversations, but more importantly their real names and addresses, would be made public. And so, on July 22nd 2015 the first information was leaked.

As a result of the non-compliance from ALM, the Impact Team eventually leaked a data file including all the information they had gained access to in the data breach. High profile businesspeople were included in the list, and the case got a lot of media attention. The Impact Team clearly didn’t agree with what the site stood for, but besides this the hack was a way of ‘punishing’ ALM for lying to their clients. It appeared that the credit card information was not deleted after purchases, unlike what was promised. The option to delete an account was also a lie, as according to the Impact Team these accounts were never deleted.

An important lesson from this case is the need for proper password protection. The site appeared to use a dated password protection system which made it easier for the Impact Team to gain access in the first place. Besides the lessons one can derive from such hack, in this specific case we can debate who the real ‘bad guy’ is. Are the Impact Team hacktivists, or criminals? Is Avid Life Media a victim, or perpetrator?

sources:

Mansfield-Devine, S., (2015). The Ashley Madison Affair. Network Security, September 2015. p 8 – 15

Viceland: CYBERWAR (2016). Episode: The Ashley Madison Hack.