The fallout from the massive security breach of cheating website Ashley Madison continues to escalate with extortion, exploitation, lawsuits and even deaths now linked to the hack.
The site’s owners Avid Life Media first acknowledged the breach on July 20, but not the demands of the alleged hackers to take down its sites or risk having hacked data leaked publicly.
After the demands failed to be met, the hackers – known as Impact Team – made good on their threat and released several large data dumps to the web, beginning August 18.
The dumps contained a myriad of account details for the site’s 36 million-plus members and a trove of data and correspondence from executives of Avid Life Media.
Though passwords were securely hashed – somewhat of a rarity in data breach cases – security experts still believed they could be cracked by motivated hackers.
Fears that the data dumps could lead to exploitation of the site’s users were soon realised.
Security blogger Brian Krebs reported the first extortion attempts on users. An IT manager leaked a copy of emails being sent to users on his email domain demanding Bitcoin payment in return for silence.
A number of sites have sprung up offering to let people check whether they – or their partner - have been compromised in the breach.
Some sites like Trustify caused outrage and were quickly branded ‘ambulance chasers’ after they sent unsolicited emails to affected addresses offering to “talk with our experienced investigative consultants to learn how you can find what incriminating information is available and could ruin your life”.
Trustify later changed its tune and limited searches only to people who were directly affected by the breach – falling into line with other more ethical search tools such as security expert Troy Hunt’s ‘Have I been Pwned?’.
The potential for search tools to be exploited came not only in the form of blackmail attempts, but also public exploitation, after a Sydney radio station used details from a search site to verify live on air that a caller’s partner was using Ashley Madison.
Technology publication Wired warned people not to visit search sites or input their details. “Don’t check [them],” it said. “No good can come of this.”
Canadian police claim two people caught up in the breach had taken their own lives as a result, although few details were released on the alleged link.
Investigations underway
The attacker or attackers responsible for the breach of Ashley Madison have yet to be unmasked, although some security experts believe it was an inside job rather than the work of a malicious third party.
Aside from its business model, Ashley Madison is winning few friends – particularly after the latest data dump revealed alleged evidence that it hacked at least one rival in the past few years.
It is also facing legal and regulatory questions from multiple jurisdictions, including Australia where the Office of the Australian Information Commissioner (OAIC) has launched an inquiry.
“Avid Life Media, the company that operates the Ashley Madison website, is based in Canada and, recognising the global nature of this incident, the Commissioner’s investigation will be conducted jointly with the Office of the Privacy Commissioner of Canada,” Acting Australian Information Commissioner Timothy Pilgrim said.
“Avid Life Media has already been co-operating with the OAIC since it began making preliminary inquiries following news that the breach had occurred.
“The OAIC will publish a further statement at the conclusion of its investigation, outlining its findings.”