Ashley Madison, a popular website for married people wishing to cheat on their other halves, has been hacked with obviously serious implications for those whose details it held.
Previously unknown hacking group The Impact Team posted online caches of personal data stolen from the website, whose motto is "Life is short. Have an affair."
Noel Biderman, chief exec of Avid Life Media (ALM), the Canadian firm that runs Ashley Madison as well as sister hookup sites Cougar Life and Established Men, acknowledged the breach.
Biderman told investigative reporter Brian Krebs that ALM was "working diligently and feverishly" to get the leaked data pulled offline.
A statement by Avid Life Media admits that the firm has become the "latest among many companies to have been attacked, despite investing in the latest privacy and security technologies." It promised a through forensic investigation and assistance to law enforcement in going after hackers behind the breach.
At this time, we have been able to secure our sites, and close the unauthorised access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber-terrorism will be held responsible.
The extent of the breach remains unclear and something not covered by ALM's initial statement.
The Impact Team claims to have obtained access to user databases, financial records and other sensitive data. The hackers leaked samples of what purports to be account data, leaked maps of internal company servers, employee credentials and company bank account data.
The leaked account data comes from all three sites, of which Ashley Madison, which boasts 37 million members, is by far the largest.
The breach comes weeks after cybercrooks hacked into and leaked account data from hookup site AdultFriendFinder in a markedly similar attack. The Impact Team claim its pwnage of ALM was motivated by an attempt to undermine "false claims" that users could purge their Ashley Madison membership info for a $19 fee.
Users' billing information — including real name and address — stays even if users delete their account contrary to claims by ALM, according to The Impact Team.
The hackers are demanding the immediate closure of Ashley Madison and Established Men on pain of the release of further customer record if its demands remain unfulfilled.
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
Whatever the motives of the attackers the breach of an online hookup site with millions of members poses a far greater problem than a similar hack against a mainstream e-commerce or social networking site.
Users are faced with a far greater problem than being obliged to change their passwords or facing the increased risks from targeted phishing. The leaked data could become fodder for extortion or blackmail, security experts are already warning.
"Combine the data from [the US Office of Personnel Management] with that of AshleyMadison and I think we could be in for an interesting ride," noted independent infosec consultant Brian Honan. ®