The company's security was bad, the hackers say.
For the past week, international media has reported on the hack of extramarital site Ashley Madison and its parent company Avid Life Media, which has affected potentially tens of millions of site users, as well as spewed the alleged source code of the company's products onto the dark web.
The hackers behind the breach, who call themselves The Impact Team, first released snippets of the data back in July. After nearly 30 days, they then dumped 10GB of customer information, shortly followed by another 20GB of internal data. Minutes ago, the hackers also posted a third data dump.
Motherboard was given a contact email address for The Impact Team by an intermediary. After reaching out, the hackers replied with a message signed with the same PGP key posted with the Ashley Madison dumps.
"We didn't blackmail users. Avid Life Media blackmailed them"
The Impact Team only agreed to answer questions via email. The following is a short Q&A with them, edited lightly for clarity.
MOTHERBOARD: How did you hack Avid Life Media? Was it hard?
The Impact Team: We worked hard to make fully undetectable attack, then got in and found nothing to bypass.
What was their security like?
Bad. Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.
When did you start hacking them? Years ago?
A long time ago. [Note: in a README file in the first data dump, the hackers wrote that they had been collecting information from the company "over the past few years."]
What other data from Avid Life Media do you have?
300GB of employee emails and docs from internal network. Tens of thousands of Ashley Madison user pictures. Some Ashley Madison user chats and messages. 1/3 of pictures are dick pictures and we won't dump. Not dumping most employee emails either. Maybe other executives.
Why did you release the dumps in chunks, rather than bit by bit?
Is our Eng[l]ish bad? This was always the plan. Our first release had one sample dump of 2700 transactions. One from 2008-03-21...2015-06-28. One per day. Next was everything. Easier that way.
What do you think about Avid Life Media's (and CEO Noel Biderman's) reaction?
They make $100,000,000 in fraud a year. Not very surprised they didn't shut down. Maybe lawyers can shut them down now. They sound like politicians, cannot stop lying. They said they don't store CC [credit card information]. Sure, they don't store email either, they just log in every day to server and read. They had password to CC processor. We dumped from CC processor.
[Update: when asked to clarify, The Impact Team sent the following.]
They have payment processors. The payment processors store most of the credit card number and billing address. Like how gmail stores their email. They can log in and look up transactions.
What were your motivations for the hack?
We were in Avid Life Media a long time to understand and get everything. Finally we watched Ashley Madison signups growing and human trafficking on the sites. Everyone is saying 37 million! Blackmail users! We didn't blackmail users. Avid Life Media blackmailed them. But any hacking team could have. We did it to stop the next 60 million. Avid Life Media is like a drug dealer abusing addicts.
Is evidence that 'Full Delete' does not work included in the dumps?
Yes. Many accounts and identities in there.
How experienced are the hackers in The Impact Team?
Will The Impact Team be hacking any other sites in the future? If so, what targets or sort of targets do you have in mind?
Not just sites. Any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total.