Stolen User Data Published by Hackers

1697 0

Following the infamous Ashley Madison hack, in which hackers have released the personal data of thousands of people who used the adultery website. Security experts from Rapid7, Tripwire and Lieberman Software explains that “Hacktivist groups are more likely than general cybercriminals to share information on vulnerable sites and intended targets.”

Tod Beardsley, Security Engineering Manager, Rapid7 : 

“Curiosity seekers, suspicious spouses, and divorce attorneys would do well to avoid wasting too much time hunting for “one true and correct” Ashley Madison dump on their own. While the dump from last night appears to be credible among the few forensic experts who have looked at it, the data itself in the “real” dump is rather suspect. In addition, even fake data can hurt real people.

For starters, it’s trivial to set up a fake account on Ashley Madison, since Avid Life Media’s (ALM’s) account setup procedures encourages, but does not require, an e-mail address to be verified by the user. This might be done for a variety of reasons by actors ranging from pranksters to bitter divorce rivals.

Second, the majority of “real” account holders tend to use fake, throw-away data and details, for obvious reasons. If some of those fake details happen to coincide with a real person, then it can create a sticky problem for that real person.

Finally, even if the real data is a real person, and that person really registered for the site, there is no indication in the data if that person was successful at, or even intending to, pursue an illicit affair.

One of the appeals of online dating sites — especially niche ones like ALM’s services — is the ease of entry combined with the anonymity of the Internet. According to discussions on Reddit’s various relationship and dating groups, Ashley Madison users as well as users of other “edgy” dating services, appear to be just as likely to be fantasising “tourists” as they are to be serious martial cheaters. For these people, the perceived anonymity and ease of signup, even without intent of follow-through, can spell trouble at home when that anonymity is blown.

Dating sites of all types are trusted with perhaps the most sensitive, personal data imaginable. Not only credit card payment information and personal identifiers such as addresses and phone numbers, but personal details that few people would be comfortable discussing in public. While it’s still unclear how the breach at ALM’s properties occurred, I’m hopeful that CISOs around the world take securing customer data to heart in light of these events, especially when those CISOs are entrusted with the emotional, psychological, and physical well-being of their customer base.

As security researchers and onlookers, we should also be mindful that this breach is not just another object lesson for CISOs. As with many breaches, this dataset can severely impact the real lives of real people, but this set goes beyond the normal health and privacy concerns: some people are literally put in physical danger if their details are connected with Ashley Madison. Among the at-risk population include physically and emotionally abused spouses, people coping with sexual orientation, gender identity, and addiction and compulsion issues, and the children of people who are named, falsely or accurately, in the datasets.”

Lamar Bailey, Director of Security Research and Development at Tripwire

“This has been one of the most interesting breaches this year. The data stolen and released has far reaching social implications and people are already harvesting and creating metrics on the data. Sites are publishing which cities have the most “cheaters” using which cities have the most profiles listed on the site. This could play into hiring decisions too because many companies run background checks, Facebook, Twitter, and Google searches for applicants. If an applicant shows up as an Ashley Madison user does that show something about the applicant’s trustworthiness and morals?

“Hackers generally don’t share very well unless they are part of a hacking group but even then sharing is limited. It is more likely that hacker attack a site and steal data then they sell the data multiple times. They will sell exploits from time to time if the price is high enough or they feel it is going to be obsolete soon. Firms should take advantage of published exploits to look for holes in their environment and this will help keep out script kiddies but will not stop skilled hackers.”

Philip Lieberman, President and CEO of Lieberman Software

“There is a general population of hackers and researchers that troll and test sites on the Internet on a constant basis.  This population of attackers is worldwide and motivated by the usual motivations of money, fame, and power.  As is the norm in the hacker community, the higher the profile of the attacked site, the greater the prestige to the hacker who discovers a vulnerability and touts it.  The general proof of a hack is the publication of the site data or an obvious defacement of the site for other hackers to see.

The motivations may have been technical, moral, political or simply a matter of prestige within the hacking community.  The larger and higher the profile of the attack/compromise, the greater the prestige in the hacker community.  This does not currently appear to be financially motivated.”

Putting together a case as well as determining proper attribution for an attack is a time consuming process.  The attackers may very well not be in the United States, so the US Government’s power to effect a prosecution or justice may be limited or non-existent depending on the country where the attacker operated from.

There are free toolkits to do penetration testing as well as sites that categorize sites with vulnerabilities that are freely available.  Most likely there was a flaw in the design of the web site as well as a clear lack of internal systems to detect and terminate this type of attack.  Given the massive exfiltration of data without any notice of the company, it is clear that cyber-defence was not one of the primary missions of the compromised company.

There is a clear irony in the entire hack that also increases the prestige of the attacker.  A site dedicated to immoral activity seemed to have repeated the betrayal of its customers just as it suggested its clients do likewise to their spouses.  What is good for the goose is good for the gander-perhaps this is karmic justice delivered by the hacker community.  They lifted the covers on everybody.”

Craig Young, Cybersecurity Researcher with Tripwire

“Hacktivist groups are more likely than general cyber criminals to share information on vulnerable sites and intended targets.  This information sharing is often conducted over internet relay chat (IRC) channels for like minded individuals.  Users know that these conversations may be monitored but rely on anonymity and sometimes reputational trust to limit exposure to law enforcement.  These servers are generally hosted on countries with liberal privacy laws and often hidden by the TOR network. Cyber criminals seeking monetary gain however tend to play things closer to the chest.”


If you are an expert on this topic:

Submit Your Expert Comments


In this article