This week, we're getting into some crazy talks about Ashley Madison. That dating site who's tagline is "Life is short, have an affair". They got hacked back in 2015 and I'm pretty sure there's more to it than you remember. So let's talk Discord: https://discord.gg/mBPbWcVRYR Store: https://store.whattheshellpod.com Website: https://whattheshellpod.com
When you use a website that requires you to create an account, you're immediately putting some level of trust into the owners of the site. It's a trust that your email address and password will be safe, and that what you do on the site won't be explicitly shared unless you want it to. You're trusting that they are going by the industry standards and building out their platform safely and reliably. This, is even more so the case with sites where someone might be doing things that are say a bit promiscuous, maybe even unethical and borderline illegal. Well, in 2015 a site that's tagline was "Life is short, have an affair" proved that life was indeed short. In fact, it was too short apparently to care about buttoning up their security. So come with me as we dive deep into the world of internet affairs, shady executives, and blatant disregard for users. My name is John Kordis, and today I'm inviting you to join me on this trip where I'll explain What the Shell happened with the Ashley Madison hack, and why it's probably a little crazier than you remember it being.
Let's take a beat real quick because some of you might know exactly what Ashley Madison is. In case you didn't really pick up on it from that tagline of "Life is short, have an affair", the site helps married individuals have affairs on their partner through the use of an online dating app. The site is operated out of Canada and has been around since 2002. It's possible that this website is older than some of my listeners at this point!
The site has faced a lot of controversies over the years stemming from it's unethical business, but what we're here to talk about today isn't that side. We're here to talk about something that really brought them front and center for a bit. We're here to talk about how they got hacked, bad.
So let's set the stage here. I'm going to, briefly, put us in the role of a standard employee at Ashley Madison. It's July 12th of 2015. If you're coming off any weekend movie plans you probably just saw either Terminator Genisys or Magic Mike, the two movies dominating the box office at this point. But when you get into work today something is different. There's a hubub around the office. People are panicing and looking like they've got no idea what's going on. So you make your way to your desk, and just as you're sitting down it all comes together for you.
What you see isn't your usualy desktop login. It's a message, and as you look around you might see that it's a message that's currently on everyones screen. And that's when you hear something too. There's a song playing, in fact you know it, it's Thunderstruck by ACDC. The message accompanying this? Well it said that unless the owners of Ashley Madison shut the site down, they were going to have client data leaked to the public.
Now we've had situations like this before in previous episodes. Hackers will get in and try to extort the people they're going after for money. but this isn't that. There's no ransom demand beyond stop.
The hackers call themselves the Impact Team. They've got an agenda and want it seen through. In interviews since, they claim to have been on the network for several years at this point, deciding that now was the right time to act.
Unfortunately for them, there really wasn't much movement from Ashley Madison, so a week later they took the pressure to the internet and made it public. They posted their warning message and sort of manifesto on pastebin. Pastebin is a site that's frequently used for data dumps, and is fairly easy to post anonymously from. I've got the message, as it appeated on the desktops on my website, whattheshellpod.com, but I'm going to read it out for you. It's a bit of a long one so buckle up, I'll try to provide context where I can:
https://medium.com/@dannymack/the-impact-team-manifesto-to-ashleymadison-com-5d4e7225b787
It starts quote "AM and EM MUST SHUT DOWN IMMEDIATELY PERMANENTY" : That's AM for Ashley Madison and EM for ….
It goes on to say "We are the impact team. We have taken over all systems in your entire office and production domains, all customer information databases, source code repositories, financial records, emails.
Shutting down AM and EM will cost you, but non-compliance will cost you more. We will release all customer records, profiles with all the customers secret sexual fantasies, nude pictures, and conversations, matching credit card transactions, real names and addresses, and employee documents and emails. Avid Life media will be liable for fraud and extreme harm to millions of users.
That was the message to Avid Life Media, now we get to the little bit of a manifesto they posted with it. They posted to pastebin quote
Avid Life Media runs Ashley Madison, the internets #1 cheating site, for people who are married or ina relationship to have an affair. ALM also runs Established Men, a prostitution/human trafficking website for rich men to pay for sex, as well as cougar life, a dating website for cougard, man crunch, a dating site for gay dating, swappernet for swingers, and the big and the beautiful, for overweight dataing. Trvor, ALM's CTO once said "Protection and personal information were his biggest critical success factors. and that he'd hate to see his systems hacked and/or the leak of personal information.
Well Trevor, welcome to your worst fucking (sound effect that out) nightmare. We are the Impact Team. We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
So far, ALM has not complied
Avid Life Media will be liable for fraud and extreme personal and professional harm from millions of their users unless Ashley Madison and Established Men are permanently placed offline immediately.
Our one apology is to Mark Steele (Director of Security). You did everything you could, but nothing you could have done could have stopped this.
This is your last warning,
That was a lot but it was still just a glimpse at what they posted. But let's see break it down a bit. We know their goals. They want the entirely unforgivable side of Avid Life Media to be shut down. You'll notice that they don't ask for the shut down of all the sites, presumably just the ones that they deemed to be over the line. But what did they mean when they said that Avid Life will be liable for fraud and harm of their users?
Well, I think part of the message is the harm that they've built by potentially crumbling marriages, but even more so the practice of their quote paid delete service. You see, this wasn't a site you could just delete an account from. No, if you wanted all your identifiying info taken off the site you had to pay for Ashley Madison to remove it. Now, in my personal opinion that's scummy. Since this has happened there have been laws in put into place to help avoid this but at the time, you're essentially being fiscally coerced if you had an account to pay up if you wanted to avoid getting found out at some point.
And at this point there's no fraud. But what The Impact team found was that the never actually deleted it entirely so they've established that users are paying for a service that was not given.
And how did they prove this? At the time of the Manifesto post, they also released two of the records they'd accumulated. One from a man from Brockton Massachusetts, and one form a Man located in Missisauga Ontario Canada. The latter, being someone that had explicitly paid to have their account removed completely. So yeah. Not complete. Not removed.
It wasn't just that information though. It inlcuded names, encrypted passwords, emails, marital status, and even a laundry list of sexual fantasies. It's essential a marriage ender in a bottle here.
And if you thought that the Impact Team had any kind of remorse on this, they didn't. They'd keep on going in their manifesto to say “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
They would go on to give Ashley Madison and Avid Life 30 days to shut down.
It was right about this point on the 19th and 20th of July that news sites started picking it up too. Now, if Ashley Madison wasn't going to work with the Impact Team, maybe they'll work with all their angry users and the media. Ashley Madison at this pointalso put out a statement for the media. It's pretty boilerplate saying that they're aware of the breach and working to resolve the issue. The apologized to the customers for the breach in confidentiality, and to intrusion into their informaiton. They brought in an external cyber security firm to help investigate.
When talking to Brian Krebs, a cyber security researcher and journalist, the Ashley Madison Chief Executive Noel Biderman said that “We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”
And he's got a point there. Technically, what they're doing however you view it, is still legal. And this is still a crime. At this point I think it's fair to call it Hacktivism.
And at this point it seems like Biderman doesn't want to play ball. They're going through the motions of everything that says they have the utmost intention of staying online.
Well, 30 days comes and goes and guess what. On August 18th, 2015 a big old TIMES UP post hits Pastebin. This dump of information is substantial with a capital s.
This was a torrent file with 10 gigs worth of data. It contained email addresses and information that left the company and media outlets scrambling to immedaitely try and confirm it's legitimacy. This data dump was posted on the dark web, which means it was only accesible using an onion address accessible through a specific browser and vpn. Things included in this? Login names and passwords, seven years or so of credit card and transaction details, and more. Now what's interesting here is that this contained the details of around 32 million users, but the group claimed to have the information on 40 million at the time. So they still haven't dropped the full picture yet. To add a bit of clarity here. 32 million users doesn't mean 32 million real people. Some of these could have been fake accounts, bots, or spy accounts of people using it to find out if their sig other was on there. One thing that was of note is that the site didn't require any email verification. This meant that you could give fake emails and still get an account set up.
It might shock you to know that 15,000 of these emails were either .gov or .mil addresses. Again, that doesn't mean all 15k are legitimate but it's hard pressed to believe that 100% are fake.
With those account credentials came password hashes in the form of a bcrypt algorithym. Ambitious hackers, while needing to devote time and resources here, would eventually be able to crack some of these passwords and get access to chat logs, pictures, and more. Not only that but they'd be able to add a username and password to whatever internal db they have that they might want to sell. After all, we all know everyone uses a completely different user email and password for each and every site they visit right? Hackers would have a field day getting more access than just this.
With this dump The Impact team let out the revelation that roughly 90-95% of the users here were male. They went on to taunt the men saying that chances are they just signed up but never actually had an affair, just tried to and failed. Not that the distinction really mattered.
They also invited the men to file a class action against Avid Life to claim damages. And I'll admit I feel like you don't see this too often. I feel as though usually the users are just disregarded but here you see the Impact team sticking it to Avid Life twofold. First, here's their failure to provide a service, now to hit you while you're done I'm gonna make sure everyone we just exposed knows they can sue YOU.
In the coming days, it would come out that these were in fact genuine data dumps. The information was acquired from Ashley Madison and verified to be real user information.
The public was starting to have a field day with this too. As people became aware of just how big the dumps were and how much data there was to sift through, sites started popping up that let anyone search the dumps to see if their significant other or anyone that they knew was involved. Services that would find out the information for you appeared and it seemed that all these men that were hiding in the shadows of this site were now brought into the light completely.
We're going to jump a bit forward for just a second and expand on that. Think about it if that came out right now and you were married. Would you go check? I have a feeling the answer would be no, and a lot of the men on this site were probably counting on that. But, the Impact group wouldn't be the only one trying to wreck things down a bit.
Hackers, scammers, and those that were looking to make money started to use these data dumps to blackmail people. Within a week of this happening, by the end of August, users on the site were being blackmailed and threatened under penalty of exposure to their family and loved ones. These people were aiming to make a profit off this and saw a gleaming opportunity. And it's likely that given the availability of the data and the amount of people who had it, that more than extorter might go after the same person. This whole thing was really starting to escalate.
In that same week following the attack things would continue to get worse for Ashley Madison.
On the 20th, the Impact team released a second dump of data. This time, it was of internal data like email logs, source code for the application, and even the complete email history of the Biderman, the CEO.
3 Days later they hit it yet again. This time, it was back to the User data, specifically government accounts that had been registered, as well as the user information from several southern states.
And it was on 24th that one of the prophecies of the Impact Group came to pass. The class action lawsuit on behalf of the users came into force. A 578 million dollar class action lawsuit began on behalf of the exposed users and those that used the paid delete service. This would culminated in Ashley Madison aggreeing to pay 11.2 million to settle litigation just in the US. All in all everything the Impact Team said would happen came to be. Ashley Madison didn't shut down the website, the data was dumped and proved real, pretty much any internal record that was important came along with it, and not only did Ashley Madison need to pay out the lawsuit they needed to pay in the form of a reputation hit.
Not that the reputation of a site which solicited affairs was great to begin with, but prior to this no one really contested their ability to keep data private. After this big of a public scandal, it's hard to imagine recovering to any kind of profit margin they were hitting before. Not just that, but I found in my research on the topic that Ashley Madison had been preparing for an IPO, getting ready to trade publically. This burned any possibility there and did literally untold amounts of damage in the form of profit never seen. So yeah, good haul for the Impact Team I'd say.
Let's take it there and talk about how the Impact Team got in. Because Vice's tech outlet "Motherboard" got an interview with someone on the Impact Team and it's led to a lot more informaton about the attack including how they got in and some motivations.
When asked how they actually got in, The Impact Team says that they worked very carefully to craft an attack that was undetectable. To me that says that if they ran any kind of scan, it was slow and methodical. In a normal business, vulnerability scanning can be detected pretty easily if the right precautions aren't in place. There isn't much detail here in the actual technicalities of it, but if they were as careful as they said that would also mean being completely sure they weren't giving away any trace of social engineering or phish campaigns that might have made it obvious something was going on.
Through that research campaign what they found was an unbelievable lack of security. According to the member that was talking the password that was used to get from the internet into the network over a vpn was "Pass1234" with a capital P. So an 8 character password that's a super easy guess and built into any major wordlist. When I say wordlist here, I'm talking about a pregenerated list of common passwords that can be anywhere from 10-10million passwords in length. These can be used in conjunction with password attack software to try and make your way into a system or network, but you need to be careful because most of the time if you try too many passwords in a short amount of time, you'll tip it off. So as I'm scripting this out, I just had an idea. I'm going to open up my own pentesting box virtual machine and see how many password lists I hit with that password. My screen is literally over run with wordlists that have this attached to it. I see common credentials, honey pot captures, leaked databases, xato passwordleaks, dutch password lists, default credential lists. If I spent an entire podcast listing how each location here it's been found that would probably take up around 25-30 minutes of my time.
So my point with that is this. If any hacker pointed some of the most common lists at Ashley Madison, and configured it to be slow and methodical, they would likely would have been able to get in.
And once they got in, what they found was that they had the highest permission on several machines with that same password. There was effectively no security here. In their words, they got in and found nothing to bypass in the way of security. Usually an attacker might need to move across the network, called pivoting or moving laterally, before being able to get privileges as high as they had. But it seemed like once they were in, they effectively owned Ashley Madison.
When confronted about the motivations, it seems like for them Ashley Madison hitting 37 million was a big turning point for them. They wanted to prevent the next however million people from falling into this, maybe destroying their marriage, and getting this level of treatment.
The impact group had nothing but disdain for Biderman and the site. They offered a less than ethical service, implemented it poorly, effectively extorted users when they wanted to leave, and guess what there's one last bit of information about Biderman I didn't see coming that was released.
Because remember, each and every email Biderman sent was dropped, so a lot of people went combing through there. Back in August, Noel Biderman and Ashley Madison were really trying to market themselves as victims of a heinous cybercrime. Who would hack into an online dating sites database and steal customer information it's just ludicrous. As it turns out Noel Biderman would do that. Upon sifting through his emails one email came to light wherein the founding Chief Technology Officer had let Biderman know a competing site called nerve.com had a security vulnerability in it. One line in the email? quote "The did a very lousy job building their platform, I got their entire user base. Also I can turn any non paying user into a paid user and vice versa, compose messages between users, and check unread messages".
So yeah. That happened. Biderman ended up meeting with them several months later and it's unclear if he brought up the security hole. But imagine how he could have used that data to try and bring users over to his platform, or make the other platform look bad. It's insane to me that in all this, something like that came out. Yet at the same time, given the kind of platform this is I'm also not surprised?
This is one of those stories where I don't know how to feel at the end of it all. I don't much have empathy for the Ashley Madison crew if I'm being honest. It does suck to get hacked, but I also don't agree with the entire premise of your app so… If this attack brings anything to light it's the collateral damage. Imagine how many families this tore apart. In the end there was also a cost of life, 2 people died by way of suicide and regardless of what you've done it's terrible to see that by the ending of your story. Do I endorse the kind of vigilante hacktivism that the Impact Team performed? Not entirely, but I have to wonder what the fate of everyone would be if it never happened. We'll never know I guess. And the site is still around, you can go and visit it right now. So there was one thing I guess the Impact team didn't get, but who knows what the future holds. I'm going to cut it there. I know this wasn't the most technical episode we've had, but it read as an interesting story I thought I'd share. Most people I know have the surface level knowledge that Ashley Madison was hacked, but I hope this shed some light on the extent of it all.
I'm John Kordis and thanks for listening to me explain What the Shell happened to Ashley Madison. Thanks again for listening to this weeks episode. As always, if you liked it please leave a rating or a review. Or, if that's not something you really want to do just recommend it to a friend maybe?
If you want to come and talk to me directly, along with other fans, I've got a link to our discord in the description and on the website. I'd love to have you other there. It's also a great way to just give topic suggestions. Like I've been saying all season, I'm really looking to give the you, the listener a say in the episode and this one came courtesy of my lovely wife. Lastly, like I've said before, I've got a store now, so if you want a sticker for your laptop, a patch for your backpack, or maybe just a T-shirt, go take a look at store.whattheshellpod.com