Following the recent high profile news that Avid Life Media (ALM), the company behind adult fantasy website Ashley Madison had been a victim of a successful cyber attack relating to personal data of its 37 million users, it now appears they have become the victim of multiple leaks with the first leak containing 9.7 gigabytes of customer data stolen from the dating site being released on the dark web. The hackers responsible, known as Impact Team have subsequently released a further 18.5 gigabytes of data containing internal emails and source code for the website and app.
The initial data released includes millions of payment transactions, includes names, street address and email addresses and even possibly GPS coordinates, now freely available information which can arm other cyber attackers and blackmailers with the weapons to cause even more damage to Ashley Madison users at work or at home.
Ken Westin, Senior Analyst at Tripwire:
“These kinds of breaches can be quite disastrous for individuals who signed up for web services with the expectation of confidentiality and privacy. Even if users of the site had paid a fee to remove their profile and history, their personal information was still compromised. Unfortunately, in these situations even if aliases were used the profile is still linked to real names through credit card transactions, emails and other pieces of data. If this information is released it could expose the 40 million users of the various online entities, and it has the potential to compromise much more than just email addresses and credit card numbers. Information associated with adult services has the potential to ruin lives, be used for blackmail or even espionage purposes if government officials are involved.
These kinds of compromises exposes an ongoing issue of websites and services which claim to protect privacy and anonymity in their marketing collateral, or in this particular service it was the key feature. The problem is in order for these services to operate and collect money, the anonymous profiles are usually connected to a real identity. The amount of information these services collect regarding activity and interactions with the website such as IP addresses, usernames, email addresses, browsing history and other information increases the stakes, particularly if this data is archived instead of deleted.”
Blue Coat, a cyber security technology company investigating the breach, previously predicted the Ashley Madison breach will have a long tail last month and believe there is certainly more to come from ALM:
Reselling personal data to other cyber attackers:
Now that more than 9 gigabytes of data has been released, they may begin to look at the financial value of a target to see if they will profit from the time spent building malware for the attack. This data is most likely to be amongst some of the most valuable data set compromised so far. If it is worth $100 to ‘go away’ and there are 37 million users, this could be one of the largest cyber heists in history.
Financial or non-financial blackmail of Ashley Madison and its customers: Not all of the personal data of Ashley Madison users has been released, therefore cyber attackers may go directly to the management, or to the individual users of Ashley Madison and ask for a payment for the release/deletion of personal data. Blackmail can also happen through non-financial means by coercing victims into working with the attackers as an insider.
Social Engineering to take down bigger business targets:
Attackers can identify high value targets who are members of Ashley Madison and collect widely available social media data to impersonate the victim over a long period. If successful, attackers can gain unrestricted access to corporate networks and sensitive work information.
Stephen Coty, chief security evangelist at Alert Logic has been mining the leaked data from the Ashley Madison breach and has discovered that over 14,000 government officials’ information has been compromised and comments;
“With such diversity of individuals, whose information was compromised through the Ashley Madison hack, you have to wonder what the lasting impact of this breach can be. What are the implications to the companies these individuals work for? Will these individuals give in to blackmail to betray their employer, save their marriage or relationship? What can this data, plus the information from breaches like OPM, be used for to compromise our national security or trade secrets? These are all questions employers should be asking themselves.
People will always be a risk to any company’s security strategy. When I was a penetration tester, I always relied on other people to gain access into an environment. I would commonly drop USB drives in parking lots, relying on someone to pick it up and plug it into their workstation just to see, out of curiosity, what was on the drive. 9 out of 10 times this would always grant me access into the customer’s environment.
Now with this latest breach, we have an opportunity to use a similar tactic to show evidence of a individual’s infidelity to motivate them to give me the information that I want. Once I have this information, I can sell it on the underground to either a competitor or an overseas start-up for considerably more than I could ever get by simply blackmailing an individual.
Should employers start locking down their internet and mail services to work functions only? Should HR and Corporate Security policies be enforced with actual consequences? These are all challenges that corporate security teams have been dealing with for years. Should we now start empowering our security teams to do their jobs efficiently? In order to do that job efficiently, companies need to invest in the people, process and technologies to build a comprehensive and effective security strategy. This also means investing in a threat research and intelligence function that will mine for lost and stolen data to understand and combat the risk that our employees introduce into our environments.
This is a sample of data to give you the extent of what individuals that used corporate accounts for their Ashley Madison account profiles. I tried to randomly hit domains from different countries and different industries.
More news will be posted as it becomes available