Lessons of the Ashley Madison Hack and Data Dump

Man spoof Ashley Madison There is a lot of Schadenfreude going around about the Ashley Madison website hack. People are often treating it as more of a joke than a serious incident.

For those of you who have been under a rock, Ashley Madison is a dating site for married people who want to have affairs. Their tag line is even “Life is short. Have an affair” so they are very not subtle about it.

A group of hackers calling themselves “Impact Team” announced the initial hack of the website about a month ago. The hackers demanded Ashley Madison and associated websites be taken down. A month later, the hackers have now dumped info on all 32 Million user accounts for anyone to see.

The data appears to include passwords and payment information. Fortunately it looks like Ashley Madison did a better than average job of protecting user passwords, so that aspect is not as bad as it might have been, but users are still at risk if they have been reusing passwords or have particularly weak ones.

In addition, they charged users to have their accounts removed, which strikes me as a scummy practice. Worse, it appears that the records of at least the financial transactions are still there.

It is hard to feel too bad about the folks at Ashley Madison, but...

Many of the leaked profiles appear to be fake, so we could see a lot of people being accused unfairly.

Also, a bunch of sites have sprung up to let you check if your email is in the data dump. Many are probably scams or watering hole attacks. Don’t check these sites, you already know the answer one way or the other.

So, what can we learn from this latest breach: Any site can get hacked so make sure you can live with that before joining or providing info As usual, don’t re-use passwords Don’t use your real email for sites where you need to be anonymous. Hide your IP address from sites where you need to be anonymous Hackers with a cause can do as much damage as profit minded hackers Think about what you need to protect, then protect it … and belonging to an adultery website would be one of those things.

I want to be very clear, what these hackers did is absolutely illegal and immoral. The ends do not justify the means. Also, we don’t want to encourage more of this kind of thing for other causes and moral crusades. Remember, while you might find this kind of website repugnant, it is perfectly legal in most countries. Don’t be too quick to judge. It is likely you are on the wrong side of someone else’s judgmental line drawing. If everyone hacked to enforce their personal moral positions the Internet would be in rough shape.



You might also be interested in these other blog posts:

Hola VPN Service Security Train Wreck

Snipers at the Watering Hole

Sony hack shows how hard it is to stay anonymous

Who do you / can you trust for privacy?

Dropbox and bad password hygiene