Adulterous hook-up site Ashley Madison is allowing all members to fully delete their profiles without charge in the aftermath of a serious data breach that threatens the site' future.
Previously, if users wanted to delete their records (profile, pictures and messages sent through the system) they were obliged to pay around $20, but that money-spinner has been dropped in the wake of a hack that placed Ashley Madison's members in danger of exposure.
Hackers from an previously unknown group The Impact Team are threatening to leak this information unless parent firm Avid Life Media (ALM) permanently closes both Ashley Madison and site Established Men, as previously reported on El Reg.
ALM has resisted these demands and both sites remain operational despite threats by hackers to release highly-sensitive information information including "customers' secret sexual fantasies and matching credit card transactions".
ALM has confirmed the breach without specifying how much information was taken, or indeed commenting directly on the hackers' claims, other than to deny accusations that the delete option failed to remove information related to a member's profile and communications activity.
"Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed all the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online," ALN said in a statement.
Ashley Madison specifically markets its services at married people looking for an affair. The Impact Team characterises members of Ashley Madison as "cheating dirtbags" who deserve no privacy, bragging that they are poised to release info on "many rich and powerful people" unless their demands are met.
Will Gragido, head of threat intelligence research at Digital Shadows, suspects the motive of the attacks might ultimately move towards ransoming off stolen information. Unlike a recent attack against Adult FriendFinder, another hookup website, very little data from the latest hack has surfaced online - suggesting that attackers are holding onto it for later criminal abuse, Gragido reasons.
"Details are still emerging, but the Ashley Madison breach seems typical of today's more extortion and ransom-focused attacks," Gragido explained. "Certain types of data and online behaviour are simply too attractive for blackmail purposes, and adversaries know the power of psychology and emotions when making demands like this."
"Notably, this incident seems even more extortion-focused than the Adult Friend Finder (AFF) breach case, because stolen AFF data was evident in underground cybercrime forums relatively soon. We see comparatively little Ashley Madison data in circulation, suggesting the attackers want to hold as much as they can for ransom," he added.
Gragido noted that demands by the hackers that Ashley Madison ought to be shut down is a potentially ominous evolution in hacker strategy.
"What is most striking about this incident is the attackers' demand that the business of Ashley Madison itself shut down," said Gragido.
"This is very ominous because it takes us down a slippery slope: What type of business will adversaries deem 'objectionable' next, and demand its closure, in addition to holding its customers hostage with their stolen, personal information?"
Speculation is rife that an insider or former employee may have facilitated the hack.
Luke Brown, vice president & GM EMEA at Digital Guardian, commented: "The breach is suspected to be an ‘inside job’ by someone involved with ALM’s technical services, highlighting the critical need for good cybersecurity capable of mitigating this type of insider threat."
"As it stands, the breach will likely cause irreparable damage to Ashley Madison as a business," he added.
Ashley Madison is simultaneously one of the most popular dating websites on the net, and the one its users are least likely to openly admit to using, for obvious reasons.
Tod Beardsley, security engineering manager at Rapid7, the firm behind Metasploit, commented: "Dating sites also host millions of intensely private scraps of user data. Users of these services may routinely share risqué photos, checklists of sexual preferences, and patterns of romantic activity that they consider deeply personal."
"Because of this, any breach involving a dating site comes with a built-in 'ickiness' factor. Dating site users are likely to feel more violated after a breach than those caught up in a retail or government website breach, and they are less likely to reach out for help and advice on how to manage their identity information after a breach," he added.
"For Ashley Madison users in particular, this tendency to suffer silently is all but guaranteed," concluded Beardsley.
Other security experts tend to agree that ALM will have its work cut out to restore confidence in the site, a vital first step to security its long-term future.
“This hack may just kill Ashley Madison," said Dr Chenxi Wang, cloud security and strategy veep at cloud security firm CipherCloud. "The hackers are demanding the company to shut down or face public release of the very personal details of all of its 37 million customers."
"This puts AM between a rock and a hard place if it continues to operate. It’s unthinkable for any business, especially one that runs on discretion and trust, to betray its customers’ confidentiality," she added. ®