‘Time’s Up!’ That’s the simple message that hacking group Impact Team released to the executive staff of Avid Media as they released over 32GB of internal data ranging from salary information, to the detailed sexual fantasies of the AshleyMadison.com customer base.
Last month, you may recall we reported on the hack and subsequent loss of data from the “online cheating site” Ashley Madison. Attackers representing the hacking group Impact Team quickly took responsibility for the breach resulting in the loss of source code, customer records, financial information, and (possibly the most embarrassing of the information) the detailed and personal fantasies of a reported 37 million members of the site.
The statement released by Impact Team at the time demanded that Avid Media, the company behind the AshleyMadison.com website, shut down the service or risk having this confidential (and very personal) customer data leaked to the Internet.
Avid Media opted not to concede to the demands of the attackers after threats of leaking data were issued. Late yesterday afternoon, Impact Team made good on their promise to spill the beans by releasing a 9.7GB torrent containing the information that the group had claimed to be in possession.
Links to the data dump first appeared yesterday on websites only accessible via the TOR network, and then were quickly disseminated to popular torrent websites and other file sharing services. The file names contained within the torrent provide a glimpse of the data contained within the archives. Email addresses, member login credentials, and credit card transaction histories are all listed as components of the released data.
Analysis of the downloaded information confirms the initial claims by Impact Team that personal and confidential information were compromised from the AshleyMadison.com website. The decompressed archives contain a total of 32.8GB of customer information, personnel salary data, spreadsheets containing email and password combinations, revenue reports, source code, customer chat logs, and profiles of a large number of members.
Based on a ‘Company Overview’ found among the stolen files, the cheating website received over 2.3 billion visits in 2014 – an increase of 233% from the previous year. Of those curious visitors, 2.5 million signed up for services – an increase of 34% from the previous year. It is of interest to note that according to the article posted by Wired on this matter, the users of this site are 90%-95% male, with many of the female profiles being fake.
Those two years alone account for almost 4.5 million paying subscribers. And considering records date back to 2002, there are potentially many millions of customers who are now at risk of identity theft, spear phishing, blackmail, and/or fraud.
Despite the efforts by Avid Media to obscure customer information, the leak of such a large portion of their internal records easily allows curious lookers to piece together information to uncover the identities of members.
It only took a few minutes to track down the following user account, including name, email address, city/state, chat records, and personal fantasies (not really appropriate to reproduce here) of this particular customer.
As can be seen, User ID# 32712635 can be traced back through billing records to show the date services were purchased. This information can be correlated with the Ashley Madison dump log to find Date of birth, chat history, and sexual fantasies (represented by the 2 digit number). The ‘LAST NAME’ column of the CVS billing record lists the full name of the subscriber, while the first name lists the trackable user Identification number.
Even the most novice of hacker will be able to build small tools to quickly parse the data and compile databases of customer information which can then be sold on underground forums. Current or previous customers of Avid Media services would be wise to stay vigilant with regard to potential scams which may result from their information being compromised.
Already, savvy computer analysts are combing through the data and releasing blocks of information on snippet-sharing websites detailing the email addresses belonging to government domains. Large lists containing thousands of email addresses each have been dumped to popular websites. In the coming weeks, this information will surely be analyzed to determine the validity of the released information, or to verify the claims by Impact Team that many of these records are falsified.
The attack on the Avid Media infrastructure is yet another example stressing the importance of stringent computer security. This unfortunate incident should be a lesson to us all. Maintaining unencrypted copies of customer databases, financial records, salary information, and other confidential information in a single location is a recipe for disaster. Vital information should be encrypted, and then segregated across multiple servers all using a separate set of credentials and passwords. And by all means, don’t leave unencrypted Excel files laying around with passwords for all the various environments. This one practice defeats even the most secure systems and security protocols.