Hackers Impact Team says Ashley Madison became a target for the group after making $100m a year fraudulently by blackmailing users.
Ashley Madison, a domain owned by Avid Life Media, suffered a data breach in July which resulted in the loss and theft of details belonging to up to 38 million members. The website, a platform for those seeking extramarital affairs and casual encounters, uses the slogan "Life is short. Have an affair."
A group called The Impact Team claimed responsibility for the cyberattack, threatening to post user details online unless the service shut its doors. Avid Life ignored the threat, and as a result, three large data dumps have so far found themselves online. Records including email addresses, names and sexual preferences, executive emails, website source code and credit card details can now be downloaded via the Dark Web or BitTorrent software.
In an interview with Motherboard, the Impact Team said in a Q&A session that hacking Avid Life was incredibly easy and took place over several years. According to the group, they "worked hard to make [it a] fully undetectable attack," but once they were in, there was nothing to bypass.
Impact Team said the security of Ashley Madison was, in one word, "bad" -- which is completely contrary to the service's previous claims that the website was "the last truly secure space on the Internet."
"Nobody was watching," Impact team told the publication. "No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers."
Impact Team claims to have a total of 300GB's worth of employee emails and internal, corporate documents waiting in the wings. In addition, the group was able to steal "tens of thousands" of Ashley Madison user pictures, chat records and messages.
At least there is a silver lining for the website's former users -- while approximately one-third of the stolen images are "dick pictures," Impact Team said they will not dump these online. In addition, most employee emails will be safe -- although communication from Ashley Madison executives may not be so.
The hacking group took on Avid Life Media's Ashley Madison domain after claiming the "Paid Delete" function, which permanently removed user account details for a fee, did not perform as advertized. Instead, there are "many accounts" which prove the feature duped users into handing over additional money for no return, according to Impact Team.
The group said they lurked on company servers for a long time in order to understand Avid Life's system and business processes. Impact Team watched subscribers reaching the millions and decided to stop future signups from taking place. The hackers said:
"Blackmail users! We didn't blackmail users. Avid Life Media blackmailed them. But any hacking team could have. We did it to stop the next 60 million. Avid Life Media is like a drug dealer abusing addicts."
Following the hack and three separate data dumps so far, Avid Life hit back against claims that the paid delete option does not work. In a statement, the firm said profiles, pictures and messages are all part of a hard-delete if a user chooses to pay for the option.
The Impact Team's response to this is below:
"They make $100,000,000 in fraud a year. Not very surprised they didn't shut down. Maybe lawyers can shut them down now. They sound like politicians, cannot stop lying. They said they don't store CC [credit card information]. Sure, they don't store email either, they just log in every day to server and read."
In a statement, Avid Life Media said, "no current or past members' full credit card numbers were stolen," and any statements to the contrary are false.
The group says they will take on any target in the future which makes money off the "pain of others, secrets and lies," and although it may take a while, the group plan to make an impact when they reveal their next, future target.