News

Who Hacked Ashley Madison?

by Melanie Schmitz
PHILIPPE LOPEZ/AFP/Getty Images

Since news broke late on Sunday that a popular affair site had been hacked, one question has been looming overhead, taunting the public like some sort of horrible, noir-mystery novel title: Who hacked Ashley Madison? According to investigative journalist and security researcher Brian Krebs, who first broke the story, the group responsible for the massive data breach wasn't shy about announcing its presence, posting a ranting manifesto that claimed the company had been allegedly lying about the services provided under a $19 account deletion program offered to users looking for a full profile scrub. The team admitted to hacking two additional sites owned by parent company Avid Life Media (ALM) as well.

"Too bad for ALM, you promised secrecy but didn’t deliver," wrote the hackers, who identified themselves as the Impact Team, about the company's supposedly faulty "Full Delete" service, which offered subscribers the option to completely scrap all private information on the site for a modest fee. "We've got the complete set of profiles in our DB dumps, and we'll release them soon if Ashley Madison stays online."

ALM CEO Noel Biderman confirmed to Krebs on Sunday evening that the company had indeed been hacked, explaining that technical teams were "on the doorstep" of confirming the identity of those behind the breach and that there was "definitely a person here that was not an employee but certainly had touched our technical services."

Not much is currently known about the so-called Impact Team, except that they were pretty peeved about the whole "account deletion for money" scheme that Ashley Madison had been running for a few years. In 2014, tech website Ars Technica reported that the average Ashley Madison subscriber wasn't too pleased with the program either, citing a reader example from a client named "Rob Plant" who had allegedly used their services and tried to hide his old profile on his own, to no avail. Wrote Plant:

I don't care about my profile being up there (it does offer the opportunity to hide it so that it can't be found and I'm no longer getting e-mails from them). But this does seem like a crappy way of a company extorting money out of a (presumably wealthy) audience eager to quickly hide the details of their sordid extramarital dealings.

That seemed to be the general sentiment expressed by the Impact Team on Sunday as well. In its manifesto, the group continued:

Trevor [Stokes], ALM's CTO, once said "protection of personal information" was his biggest "critical success factors" and "I would hate to see our systems hacked and/or the leak of personal information [exposed]. Well, Trevor, welcome to your worst [expletive] nightmare.
We are the Impact Team. We have hacked them completely, taking over their entire office, and production domains, and thousands of systems...
Michael Bocchieri/Getty Images News/Getty Images

So far, the Impact Team says it has collected sensitive data on over 37 million Ashley Madison users, as well as information stolen from similar hookup sites, Established Men and Cougar Life. The group was able to post a sampling of that data on Ashley Madison's site before it was taken down Sunday. More of that information, the Impact Team claimed, would be posted online unless the sites were taken down.

In a strange twist, the group apologized to ALM Director of Security Mark Steele, who the group said had done his job to the best of his ability — the Impact Team, they explained, just happened to be better:

Our one apology is to Mark Steele [Director of Security]. You did everything you could, but nothing you could have done could have stopped this.

Images: Getty Images (1)