Ashley Madison: A honeypot for people who had something to hide
Less than 28 days after hacking crew Impact Team threatened Ashley Madison's parent company Avid Life Media with a no-limits database dump, the team kept its promise and published the motherlode of doxes on a darknet site this week.
It's actually hard to believe this particular hack and dump didn't happen sooner. Ashley Madison, ALM's flagship site, was basically the world's biggest honeypot for people who had something to hide.
It's a high-profile smash and grab for a team with zero previous conquests to their name. Current estimates put it at 37 million records total, with a size of around 10 gigs (compressed). In comparison, the Target hack held 110 million customer records; this week's biggest breach, web.com, exposed an estimated 93,000 credit card records.
Reality check: "A dozen different Barack Obama emails"
By its nature, Ashley Madison was a magnet for fake accounts.
The Hill reports that Washington, D.C. is coming up as the number one city for membership, and that "15,000 of the email addresses used to register accounts were hosted on U.S. government and military servers." Top corporate domains seen in the dark web dump include Microsoft, Apple, Cisco, Bank of America, and BP.
However, it's unlikely that anyone will estimate the amount of fake addresses in the dump -- and there are plenty. Ashley Madison didn't verify email addresses, and loads of people created dummy accounts to check out the site.
For instance, there are over a dozen instances of "Barack Obama emails" in the dump.
Robert Hansen, VP of WhiteHat Labs for WhiteHat Security told DarkReading, "I have found a bunch of fake entries in here, so all of this data should be taken with a grain of salt. It doesn't appear that they normalized or even checked to make sure the emails were valid before storing them in this database. So, Barack Obama is in here under a dozen different emails as an example, as are a lot of others that are clearly incorrect."
Still, panic and feeding frenzies are now in full swing.
Sites for public searching of the Ashley Madison/ALM haul like WasHeOnAshleyMadison.com started preparing online as early as July 29. Security researcher Troy Hunt reports today that he's seeing over 30,000 visitors an hour to his breach verification service, haveibeenpwned.com.
Bad touch
Noel Biderman, the CEO of Avid Life Media, once described the company's servers as "kind of untouchable."
Impact Team claimed in an early statement that they performed the brutal hack and dump on Avid Life Media because the company "profits on the pain of others" -- which seems to be the only point Avid has acknowledged in its media statements. Yet Impact Team's first post emphasized ALM's security failings, saying "For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never pissed anyone off."
Impact Team's statement accompanying this week's drop clearly says they're punishing ALM for deceiving users about security. "Find yourself in here? It was [Avid Life Media] that failed you and lied to you."
And we're discovering that Avid Life Media did indeed play fast and loose with user trust -- the dump reveals that despite selling an "account deletion" service, the company didn't actually delete user profiles. Researcher Robert Graham found as many as 250,000 "deleted" accounts in the haul.
Avid Life Media "has refuted the accusation that its Full Delete function is a scam, saying that the service does remove all of your personal data from its servers."Yet as much as Impact Team's manifesto pointedly exposes Avid Life Media's own issues around keeping promises in relationships, the only people really being hurt here are the site's users.
The users, widely characterized as cheaters, whose primary failing seems to be signing up for a site marketed successfully as a hookup hot spot for monogamous, partnered people to break their relationship contracts.
While Ashley Madison's marketing appeal hinged on infidelity, describing the entirety of its users as straight cheaters would be inaccurate. Western countries are rife with straight swingers, and anyone's relationship rules are only discoverable when we ask (though actually, it's none of our business).
If we were to describe the site in startup jargon, the sites was basically a Grindr for straight-identified people, seeking NSA (No Strings Attached sex) -- though its well-trod corridors were no strangers to same-sex couplings.
In an example of the harm done by sex site breaches, as well as "real names" policies, early news of the hack on Ashley Madison prompted this Reddit post, I (single gay man from Saudi Arabia) Could be Stoned to Death if Ashley Madison Records Are Leaked.
"I studied in America the last several years and used Ashley Madison during that time," wrote the anonymous poster on July 25th. "I was single, but used it because I am gay; gay sex is punishable by death in my home country so I wanted to keep my hookups extremely discreet. I only used AM to hook up with single guys."
These fears are justified. As one of the 10 countries where homosexuality can be punishable by death, Saudi Arabia has carried out 100 executions since the beginning of 2015, has extreme sentencing for homosexuality, and the country relies heavily on internet monitoring to track down citizens and enforce its signature arbitrary arrests.
Those ten countries aren't too keen on cheating straight folks, either.
Now, courtesy of headlines blaring that anyone can search the dump, authorities in any of those countries can see user profile records that can include as much as a user's name, email, password (hashed), languages spoken, smoking status, sexual limits, preferences, turn-ons, height, weight, addresses, account activity logs, and stated location. Some of the records include GPS coordinates.
Still, a honeypot for hypocrites
Meanwhile, since Ashley Madison's servers were marketed as a veritable honeypot for hypocrites, it naturally attracted many.
The first public figure verified to be in the dump is none other than Josh Duggar, who helped lead the Family Research Council's "March for Marriage" and appears to have spent about $1000 on Ashley Madison's services.
Yes, @joshduggar please blame porn for cheating. If anything, that should have kept you home. http://t.co/JGYVXZRSbS
-- Mike Stabile (@mikestabile) August 20, 2015
I think we can expect more stories like this in the days to come -- despite Avid Life Media''s claim that it "successfully removed all the posts related to this incident."
Yeah, right.
The takeaways from "the Ashley Madison hack" aren't obvious.
It's not a wake-up call about a privacy apocalypse; we had that a long time ago.
It's not a wake-up call about companies deceiving us about safeguarding our private information; we passed that mile marker in the last hemisphere.
And it's certainly not a wake-up call about relationship morality, or "family values" hypocrites; that's a dated, jokey refrain we know by heart.
What this over-hyped breach holds is a warning about where we're at with responsible stewardship in online identity management: If Ashley Madison was a honeypot for people who had something to hide, this breach is a bucket of cold water about websites who safeguard our secrets.
It's an example of the worst things that can happen when people trust internet companies with information they'd rather keep private.
Et tu, Facebook?
Note: This article has been updated to correct the number of exposed web.com credit card records to 93,000. We regret the error.