On July 15th news articles began to appear, claiming that the one of the world’s most controversial online dating sites “Ashley Madison” had been compromised. As the story developed, more information became available including a demand, apparently issued by the hackers known as “The Impact Team”. This demand called for Avid Life Media (the company behind Ashley Madison) to permanently shut down Ashley Madison and another Avid Life Media site, Established Men. If these demands were not met, the hackers threatened to leak the stolen information.
One month after the initial breach was publically acknowledged, The Impact Team released a batch of stolen data and made it publically available. This leak was roughly 10GB in size and consisted of 5 main database tables:
am_am_member – This table is a gold mine for potential attackers. It consists mainly of information about users – nickname, first name, surname, address, phone number, latitude, longitude etc. Yes, you saw that right: latitude and longitude. Obviously some of the sign up’s will have been from desktop PC’s or laptops without GPS so the accuracy of some of the co-ordinates should be taken lightly. However, this information could be used at the very least to verify the city in which the user signed up and, if the user signed up to the site using a mobile phone with GPS enabled, it is possible these coordinates will be extremely accurate.
amino_member – Similar to the am_am_member table but also contains more information about users’ interests and what they’re looking for on the site. As above, this information could easily be used to attempt to correlate these records to individuals. The information regarding user’s preferences and what they were looking for on the site could also be utilized by attackers in an attempt to blackmail the victims, as it is unlikely they will want this information to become widely known.
amino_member_email – This table consists mainly of users’ email addresses which were used to sign up to the service. It should be noted that Avid Life Media didn’t verify the email addresses used to sign up the service, and therefore the presence of an individual’s email address in this table does not necessarily mean they were the one to sign up to the site. A good example of this is found when searching for all emails ending in “fbi.gov”.
FBI Special Agent Fox Mulder is a fictional character from the 90’s TV series “The X-Files”. It’s also rather unlikely that email@example.com is a legitimate Ashley Madison user.
member_details – This table consists mainly of physical information of users (hair colour, DOB, ethnicity, weight ETC).
member_login – This table consists mainly of usernames and correlating passwords. Password storage is one area ALM appear to have got right. Unlike a number of other large breaches it is unlikely attackers will be able to crack the password hashes en masse. This is down to the hashing algorithm in use, in this case bcrypt. Whilst bcrypt is recognised as a strong hashing algorithm, it will still be possible for determined attackers to crack some hashes; in fact some people are reporting to have cracked “several dozens” of them using fairly simple cracking techniques.
@jmgosney @solardiz Can be played smart 😉 one mini-dictionary per pass. Already got several dozens of them in -single mode of JTR.
— François Pesce (@JokFP) August 19, 2015
It’s clear the information released in this dump can and likely will have serious consequences for both ALM and users of Ashley Madison. However, the story doesn’t end there. On the 21st August a second, much larger, dump of information was released by The Impact Team. This data came with another message, appearing to be aimed at Noel Biderman (CEO of ALM) in relation to a lack of admission that the previously leaked data’s legitimacy: This new data appears to contain not only the CEO’s inbox but also 84 git repositories full of source code from web and mobile applications created by ALM. This not only goes a long way in verifying that the breach and subsequent leaks are legitimate but also provides attackers with a code base to study in a hunt for further vulnerabilities. It is being claimed by some security researchers that some of the credentials from the latest breach are still valid and have not yet been changed by ALM.
The dump contains working credentials btw. But that’s none of my business… 🙂 — Sinthetic Labs (@sintheticlabs) August 21, 2015
At the current time it has not been possible to extract any of the email data from the “noel.biderman.mail.7z” archive, as it appears to be corrupt. It is possible that the hackers will rerelease this file at a later date.
This latest leak removes any doubt that the leaked data is legitimate and puts all of the live applications at risk. Whilst this has been a rough week for ALM it looks as if it’s only going to get worse. At the time of writing the Ashley Madison blog (https://www.ashleymadison.com/blog/) appears to be offline, likely due to the source code and credentials found in the latest leak. Just to add to ALM’s troubles it also looks like a class action lawsuit has been launched.
First class action lawsuit launched against Ashley Madison. Emphasis on ‘first’. https://t.co/x9h4FnITx6
— Mikko Hypponen (@mikko) August 21, 2015
To contact Nettitude’s editor, please email firstname.lastname@example.org.