The hackers claim stolen data includes real names and addresses, credit card details, and sexual fantasies.
AshleyMadison, a website that helps individuals hook up for affairs, has been hacked. The site claims to serve over 37.5 million users, and the hackers responsible say that the stolen data includes customer information including real names and addresses, credit card details, and sexual fantasies.
Security journalist Brian Krebs reported late yesterday that he had seen a published sample of the data contained user account information for some of the site's customers, as well as "maps of internal company servers, employee network account information, company bank account data and salary information."
A spokesperson for Avid Life Media (ALM), the company that owns AshleyMadison, confirmed the site had been hacked. "We apologize for this unprovoked and criminal intrusion into our customer's' information," they told Motherboard in an email.
The spokesperson claimed that "our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online." They said this was done through the use of the Digital Millennium Copyright Act (DMCA), and that ALM has "engaged one of the world's top IT security teams—with whom we have worked in the past—to take every possible step toward mitigating the attack."
Krebs said that in a manifesto, the hacker or hackers responsible—who go by the name "The Impact Team"—said they will release all customer records, as well as the company's employee documents and emails, if their demands are not met. The hackers want ALM to shut down both AshleyMadison and EstablishedMen, another of its sites. EstablishedMen has over 1 million members, and aims to connect "young, beautiful women with rich, successful men!" according to its website.
The Impact Team claims the hack is a response to the fact that a feature the company offers—to fully delete a customer's usage history and identifiable information—does not work as advertised.
"Full Delete netted ALM $1.7mm in revenue in 2014. It's also a complete lie," the hackers reportedly wrote.
At the time of writing, the main ALM website is offline. The ALM spokesperson would not reveal why this was the case, but he did say that "we have been able to secure our sites, and close the unauthorized access points." The investigation into the breach is ongoing.
This is the second hookup website to be hacked in recent months. In May, a database containing information on nearly 4 million users of the site AdultFriendFinder was published online.
Company breaches happen all the time. But when it comes to extramarital affairs, there might be more than a victim's identifiable information on the line.
Update: Avid Life Media sent a comment in response to hackers' claims that user information was still preserved after exercising its paid delete option, and offered the option for free to all users as a response to the breach:
Contrary to current media reports, and based on accusations posted online by a cyber criminal, the "paid-delete" option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity. The process involves a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.
As our customers' privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today's news.