It's already clear that, despite handling very sensitive data, Ashley Madison did not have the best security. Hackers managed to obtain everything from source code to customer data to internal documents, and the attackers behind the breach, who call themselves the Impact Team, made a mockery of the company's defenses in an interview.
With a huge dump of the company's emails now available on the dark web, it's possible to get a better idea of what was really going through the minds of those responsible for the site's security, and overall it doesn't look good. Ashley Madison seems to have put a heavy emphasis on PR spin, rather than protecting data.
“With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn't focus on it either,” the company's founding CTO Raja Bhatia wrote at the beginning of 2012. “I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials,” he continued. The email was in response to the news that the data of 100,000 Grindr users had been obtained by hackers.
Bhatia was also fully aware of the potential of attacks on Avid Life Media (ALM), the parent company of Ashley Madison. “There will be an eventual security crisis amongst one of your properties and the media will leap on it as they always do,” he wrote.
“What separates the companies that get skinned alive from those that quickly recover is how you handle the communication both publicly and even more importantly, to your users,” Bhatia declared. “Silence is the worst possible answer.”
“With what we inherited with Ashley [Madison], security was an obvious afterthought and I didn't focus on it either.”
When other companies were hacked, ALM typically saw the events as PR opportunities, rather than signals to update its own security. “It would be huge if we could get me on as a commentator on this,” Noel Biderman, ALM's CEO, wrote when a third party Snapchat site was attacked in 2014.
“Could be used as a PR spin along the lines of how secure out service is or how much better our ratio [of men to women] is,” Amit Jethani, director of product management, chimed in after the recent Adult Friend Finder hack. Although, another employee wrote that “bragging about security is an invitation to a hacker—so we don't go down that route.”
After the Sony breach, someone recommended the encrypted messaging app Wickr to the company. Biderman was interested in getting more information, but said “I would need some form of proposal to better understand what business opportunity exists,” apparently failing to see the benefit of having encrypted communications.
To be fair, there were instances when company employees did take security seriously. When a vulnerability in Github was announced in 2012, a staff member asked his team to conduct an audit of the company's existing systems.
After the Petraeus scandal, where a retired general leaked classified information to his mistress, one employee suggested implementing an encrypted email service for Ashley Madison users.
Someone also registered the domain of “http://greathackerswanted.com,” which presumably was an attempt to hire white-hat hackers to test the company's security. The domain currently only has a default landing page.But time and time again, it appears the high level staff of Avid Life Media cared more about PR and business strategy than the security of their systems. Now, they're paying the price.