The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

Aug/15

20

Lessons of the Ashley Madison Hack and Data Dump

Man spoof Ashley Madison

There is a lot of Schadenfreude going around about the Ashley Madison website hack. People are often treating it as more of a joke than a serious incident.

For those of you who have been under a rock, Ashley Madison is a dating site for married people who want to have affairs. Their tag line is even “Life is short. Have an affair” so they are very not subtle about it.

A group of hackers calling themselves “Impact Team” announced the initial hack of the website about a month ago. The hackers demanded Ashley Madison and associated websites be taken down. A month later, the hackers have now dumped info on all 32 Million user accounts for anyone to see.

The data appears to include passwords and payment information. Fortunately it looks like Ashley Madison did a better than average job of protecting user passwords, so that aspect is not as bad as it might have been, but users are still at risk if they have been reusing passwords or have particularly weak ones.

In addition, they charged users to have their accounts removed, which strikes me as a scummy practice. Worse, it appears that the records of at least the financial transactions are still there.

It is hard to feel too bad about the folks at Ashley Madison, but…

Many of the leaked profiles appear to be fake, so we could see a lot of people being accused unfairly.

Also, a bunch of sites have sprung up to let you check if your email is in the data dump. Many are probably scams or watering hole attacks. Don’t check these sites, you already know the answer one way or the other.

So, what can we learn from this latest breach:
Any site can get hacked so make sure you can live with that before joining or providing info
As usual, don’t re-use passwords
Don’t use your real email for sites where you need to be anonymous.
Hide your IP address from sites where you need to be anonymous
Hackers with a cause can do as much damage as profit minded hackers
Think about what you need to protect, then protect it
… and belonging to an adultery website would be one of those things.

I want to be very clear, what these hackers did is absolutely illegal and immoral. The ends do not justify the means.
Also, we don’t want to encourage more of this kind of thing for other causes and moral crusades.
Remember, while you might find this kind of website repugnant, it is perfectly legal in most countries. Don’t be too quick to judge. It is likely you are on the wrong side of someone else’s judgmental line drawing. If everyone hacked to enforce their personal moral positions the Internet would be in rough shape.

Play

You might also be interested in these other blog posts:

Hola VPN Service Security Train Wreck

Snipers at the Watering Hole

Sony hack shows how hard it is to stay anonymous

Who do you / can you trust for privacy?

Dropbox and bad password hygiene

·

5 comments

  • Dan Gehlhaar · August 21, 2015 at 9:34 am

    It’s amazing that “try not to do anything too stupid” is such a hard rule for so many people to follow, whether they be corporations (announcing “we have tons of intensely sensitive, personal information that is totally secure” counts as Felony Stupid), or individuals (too many to list, but using government emails on Ashley Madison definitely counts). I have a friend who works InfoSec at Intuit (i.e. TurboTax). They obviously have treasure troves of information. The little that he can tell me about their efforts are very impressive (lots of encryption BEHIND the firewall, rotating keys, etc). And they certainly don’t brag that they are secure.

    Reply

  • The Cognizant Owl · September 5, 2015 at 9:30 am

    Great article.

    I think the Ashley Madison leak is interesting, because while yes the whole practise of dating with the purpose of having an affair is scummy, both providing the service and using it, the majority of the backlash tends to be on the users who’s privacy was invaded, which is a much bigger global issue than infidelity.

    My take on it is that we should be more concerned that hacktivists as well as other groups are targetting organisations to make statements, and the users are becoming collateral, we’ve seen it to a lesser extent with Microsoft and the Xbox network, Sony, and a bunch of others, each hack striving to say “This organisation is awful” while the users who’s data is leaked don’t seem to be considered (clearly they were considered in the motivations of this hacktivist group though!).

    Keep it up.

    Reply

  • nick · September 21, 2015 at 9:40 am

    I think it all really depends on the individual. I think there is this crazy idea that the government, with the NSA spy program etc… are the only group taking it upon themselves to acquire information electronically. I in no way agree with this website or its services but at the same time, the integrity of online information shouldn’t be violated. People have been acquiring information for years without people knowing it. It is incredibly easy to track an IP address, on the other hand it is also easy to change it. But my point is that people seem to think that these “hackers” are some sort of vigilantes. They try and take the law into their own hands but for what purpose. For publicity and to benefit themselves. I almost laughed when you stated “If everyone hacked to enforce their personal moral positions the Internet would be in rough shape.” This is probably the truest thing I have read on the internet. Too many times has someone tried to prove a point. Stealing information from the internet regardless is illegal and just because it is an adultery site doesn’t mean the account holders should be exposed on the internet. When it comes to information on the internet or services etc… people need to be more objective. If you have ever been hacked before or have had information about yourself used against you then you know how that feels.

    Reply

  • SAFE-guy · November 1, 2015 at 3:59 pm

    Several obvious issues with the Ashley Madison hack.

    I think there is more to it personally. Could of been a pissed off rich guy who didn’t get his date or a competitor who went to the dark net and hired a group of hackers to hack AM.

    Point is that Ashley Madison guaranteed privacy, security and anonymity and could not provide it.

    Reply

Leave a Reply

<<

>>