After an associate found a vulnerability in the site, the CEO said he wanted to steal the email addresses.
If you want to succeed in business, you need to keep an eye on what your competitors are doing. But judging by a cache of alleged internal emails published by hackers, Noel Biderman, the CEO of Avid Life Media (ALM), the company that owns Ashley Madison, wanted to go a step further.
After an employee apparently discovered a serious vulnerability in a competing site, it appears Biderman encouraged him to steal the user emails of the site.
It started with a casual message from Raja Bhatia, Avid Life Media's founding chief technology officer, in November 2012.
"Also nerve's dating site has a huge security hole...." he wrote to Biderman, referring to Nerve.com, a content publishing site that ran a dating service in the past. This message was included in the huge dump of alleged ALM emails released last week by the hackers who breached the company, who call themselves The Impact Team.
Back to the conversation, Biderman was obviously keen to hear more about this vulnerability. "What is the security hole? How did you hear about it," he wrote.
Bhatia then detailed that he had done "a little digging" into how Nerve's site worked. "They did a poor job of auditing their site. Have access to all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login, fraud risk profile, who they blocked or are blocked from, photo uploads, etc."
Basically, Bhatia had gained access to nearly everything about a user, and in a further email to another employee, he added that "I can turn any non paying user into a paying user, vice nversa, compose messages between users, check unread stats, etc."
Biderman wanted to take advantage. "Holy moly..I would take the emails..." he replied.
But Bhatia wasn't keen. "can't do it.. want to be able to look my son in the eye one day." Bhatia did, however, demonstrate to Biderman how to complete the process, and sent a .txt file apparently containing a wealth of information on a Nerve user. The file included an email address, seemingly hashed password, and plenty of other data.
Bhatia also posted a link to a secret page on a Github account with the allegedly stolen data of a Nerve user. When Motherboard accessed the link, the data was still live and the page looked legitimate. It was linked to the profile of "raja."
Biderman then tried the trick out for himself, according to another alleged email, but received an error message.
Representatives from HowAboutWe, which bought Nerve.com, were not immediately available for comment. Raja Bhatia also did not respond to emails. We reached out to an Avid Life Media representative and will update if the company decides to comment.
Strangely, by looking at the hacked emails, there was even the potential for ALM to purchase Nerve. In one of those exchanges, Biderman jibbed "Should I tell them of their security hole?" It is unclear whether he, or anyone at ALM, did inform Nerve of the problem.
Regardless, the CEO of Avid Life Media wanted to steal the user email addresses of another website, and when his associate wouldn't do it, tried the method out himself.
Update: Avid Life sent a response saying Biderman and Bhatia's comments were taken out of context, and the interpretation that Biderman wanted Nerve.com's user emails is "incorrect and unfortunate." A representative writes: "Nerve was exploring strategic partnerships in May of 2012 and reached out to Noel to determine Avid Life Media's interest in the property.At the time Noel did not act on that opportunity."
"In September PTC Advisors, representing Nerve, contacted Noel and provided a more detailed brief on the opportunity. This communique was followed by a number of conversations. Subsequently Noel contacted Raja Bhatia and asked for his assistance in conducting technical due diligence on the opportunity. This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm.
"At no point was there an effort made to hack, steal or use Nerve.com's proprietary data."