Ashley Madison hack exposes IT details and customer records
The documents are a hodgepodge of details, ranging from IT infrastructure, sales and marketing data, customer records, and more.
In the message that accompanied the data, published online in multiple locations Sunday evening, Impact Team quoted ALM's CTO Trevor Skyes stating that protection of personal information was one of his biggest successes.
The quote goes on to say that he'd hate to see the company's systems hacked or customer information leaked. But that's exactly what's happened.
As part of the post announcing the hack, Impact Team said in part:
"We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never pissed anyone off.
"Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online."
Impact Team claims that one of the reasons for targeting ALM is because the company "profits on the pain of others."
The group released nearly 40 MB of data as proof of their claims, which includes limited credit card transaction details, zone data on two domains, as well as several documents taken form the ALM data servers.
One of the leaked documents is an infrastructure overview of ALM, including a technical map of the network, and a detailed breakdown of the apps and services used on the company's front-rail and back-rail servers.
Another leaked document outlines the possible risks the company faced in relation to customer data and the possible outcome during a given scenario. All of the items in the document are valid risk assumptions, which would make it part of a larger security plan or internal evaluation.
Some of the concerns include the loss of compliance status due to an oversight or bug in development, or a process failure leading to the loss of PCI compliance. The document also singles out XSS and SQL Injection vulnerabilities as another concern, in addition to man-in-the-middle attacks and malware infections on the internal network.
A presentation leaked by Impact Team shows that the company made $1.7 million in 2014 by charging users $19.00 to remove all of their personal information form the website.
"Users of the service want full discretion, they can pay to eliminate any trace of themselves from the site," the slide explains.
However, the leaked records show otherwise. One record posted by Impact Team shows the customer with a "paid delete" status, but purchase records kept by the company enabled the group to determine the customer and all of his account details.
[Note: Last year, Ars Technica covered this topic as it relates to Ashley Madison. The story offers additional information on the topic of paying to remove member data.]
In their announcement, Impact Team offered an apology to Mark Steele (ALM Director of Security).
"You did everything you could, but nothing you could have done could have stopped this."
ALM CEO Noel Biderman told journalist Brian Krebs that it's possible the attackers worked for his company at one point and had legitimate internal access.
"We're on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I've got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services," Biderman said.
"We're not denying this happened," he added. "Like us or not, this is still a criminal act."
The company has made no other public statements. A search of the Ashley Madison and ALM websites on Sunday evening turned up no public disclosure or notice related to the incident.