There is something undeniably enjoyable about watching a villain get what’s coming to them. Whether it’s watching the Death Star detonate, seeing Gordon Gekko getting taken away in handcuffs or watching King Joffrey drink from the poisoned cup — everyone can get behind watching someone or something unapologetically villainous get what’s coming to them in the most karmically appropriate way possible.
Such epic comeuppances are usually to be found in the world of entertainment, because without the guiding hand of a screenwriter, reality usually doesn’t bear quite as many perfect reversals.
Which leads us to the Ashley Madison hack — a real-life Death Star explosion if there ever was one.
After almost two years of unending data breaches, everyone knows cybercrime is bad, damaging and dangerous. And yet the Ashley Madison hack made us smile. Few could resist the collective “slow clap” that accompanied the news that professional adultery boosters had allowed their very sensitive and supposedly very secure servers to be wholly hacked.
At the time of the breach, the group claiming credit, the Impact Team, made the breach known by posting a small amount of a supposedly larger cache of stolen (and identifying) user data and made Ashley Madison’s owner, Avid Life Media, an offer: take down the site, or see all the data go up for public consumption.
And then … nothing. For about a month the issue didn’t progress – Ashley Madison stayed up, and the data remained under wraps.
Until this week.
That’s when the whole breach went up on the Web in the form of a giant data dump. And this time around, smirks certainly abound. Unless, you are Josh Duggar, or any other Ashley Madison customer.
So how bad was it? Well, that depends on how you look at it. The scope of the breach is still being sorted out — everyone seemingly agrees the data dump is legitimate at this point, but it’s a large volume and by all accounts difficult to decipher. But what is becoming increasingly clear in the days to follow is that the Ashley Madison breach may point to a future that is legitimately scary for everyone — not just those foolish enough to join an adultery-themed website.
By The Numbers
The Ashley Madison hack in terms of the sheer amount of data was massive — 10 GB of data (and that was compressed) from over 33 million accounts — or the equivalent of four motion pictures worth of data. And within those accounts is a virtual buffet of personal information.
Home addresses, 36 million email addresses, phone numbers, partial payment data, first and last names and hashed passwords — and financial transactions.
Paid extra for the premium “guaranteed affair within three months” service? That’s in the records. Paid the company to delete your account and forget they ever saw you? That’s there too. All in, records documenting 9.6 million transactions were included in the full data dump – all of which appeared on an Onion (Tor) website.
Moreover, the leak also turned up PayPal accounts used by company executives, Windows keys for employees, and a lot of internal documents.
And that, security experts have noted, is particularly disturbing news.
“The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more,” TrustedSec researcher Dave Kennedy wrote in a blog post. “This is much more problematic as it’s not just a database dump, this is a full scale compromise of the entire company’s infrastructure including Windows domain and more.”
The Blackmail Begins
With the exception of one or two high profile names popping out of the database so far, the majority of the massive pile is being sifted through by a variety of parties.
Unfortunately, one of the groups panning the data in the stream are extortionists who are using the opportunity to blackmail people.
An opportunity apparently made possible by that currency that enables all nefarious use cases: bitcoin.
According to reporting in CoinDesk, enterprising goons have begun to reach out to people in the database with threats to expose their cheating ways unless they are paid off in bitcoin. An American Ashley Madison customer sent CoinDesk the email he had received from “Team GrayFlay.” The email indicated some correct details for the user’s account and instructions that he must pay up in bitcoin or be exposed.
“Unfortunately your data was leaked in the recent hacking of Ashley Madison and I now have your information. If you would like to prevent me from finding and sharing this information with your significant other send exactly 2.00000054 bitcoins [approx. value $450 USD] to the following address…” the note said.
The note also gave the user helpful instructions on how to obtain bitcoin (on the off chance they had never heard of the currency before).
Less helpfully, Team GrayFlay also indicated that if they weren’t paid, they would make sure to share the information widely.
“If you are not already divorced then I suggest you think about how this information may impact any ongoing court proceedings,” the message noted. “If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends.”
The Alarming Trend
While it may have been fun to gloat about the fall of the house of Avid Life, no one seemed more committed to gloating than Impact Team themselves.
“Avid Life Media has failed to take down Ashley Madison and Established Men,” the Impact Team wrote in a statement accompanying the alleged leak, according to Wired. “We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data. Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See Ashley Madison’s fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”
Impact Team, the BBC noted, is an interesting bird. They are unlike many other hacker groups out there in a few regards. They seem to have formed purely for this venture, as there was no evidence of them before this. They have no interest in what usually interests hackers: the credit card data and other financials. This hack seems purely to have been based on what The Washington Post called a “moral vendetta.” The point of this wasn’t to steal financial data, or data that was easily monetizable. The point was to humiliate people and a company.
And that, The Awl noted, is not a laughing matter, because this story is not so much about bad people getting hacked, but about how we relate to the apps and Web spaces where we expect to have some kind of privacy.
On the whole, consumers are protected from the financial loss associated with data breaches; they don’t pay the costs of fraud — issuers and merchants do. But the costs of this kind of breach apply directly and mostly to the consumer — and in a way that is hard to calculate. And while Ashley Madison is an extreme example of an embarrassing hack, there are many more examples one could think of.
As of 2011 there were 260 million pornography pages on the Internet, and millions upon millions of them are paid sites. One might assume those people don’t want those accounts made public to others. But one doesn’t even have to a take prurient route to find private information people might be uncomfortable sharing.
Like health information, for example.
Consumers increasingly navigate their worlds using mobile devices and online, and though security is a prevalent concern, history has trained them to aim that concern toward financial fraud and hackers who want their credit card number or their Social Security number (so they can take out a credit card in their name).
Consumers are less trained mentally to deal with cybercriminals who are merely on the hunt for embarrassing data to use as leverage. And yet that is exactly the kind of hacker team Impact Team is.
This time that leverage was first used against the company itself, but it is easy to imagine a future where the leverage is used against the consumer. And in those cases, hackers won’t have to steal customer’s payment information from them, because someone who really wants to keep a secret will give it to them willingly.
So while it’s easy to laugh at Ashley Madison today, it might just get a lot less funny going forward if hackers decide that instead of hacking people’s financial data, they just hack people and extort them financially instead. Or if consumers decide that the risks to their privacy aren’t worth it — and decide to short circuit the mobile revolution early on.
Innovators, get busy – and help us sort this big problem out.