Analyzing a Data Breach: Ashley Madison – the Good, the Bad, and of course the Ugly
Recently, the Ashley Madison network was compromised, allegedly by a group known as the Impact Team. The hackers have asked the owners of this site and another site called ‘Established Men’, to take down both sites, or they will reveal names, addresses, and credit card transactions of account holders. The motives are still unclear, at least to me. The hackers accuse the owners of “human trafficking” and “blackmail” of their users.
For those who are not aware, Ashley Madison is a site for what much of society calls ‘cheaters’: men and women who want an extra marital affair. The Established Men site is for ‘sugar daddies’ to get in touch with women who are looking for that kind of thing. The purpose of this blog post is not to question the morals of these sites or the people who use them, but rather to question the common sense of the people who freely give out their information to such a site, and also to question the security measures put in place by the organization. These security measures, while an improvement on some recently hacked sites, were still obviously inadequate considering the data that is stored there.
The parent company who own these sites encrypted the user passwords using the bcrypt algorithm for PHP. This is a relatively secure method of storing passwords. However, the sites do not perform validation of email addresses, so other people’s legitimate email addresses may have been used by some people who do not want to use their own (this is ‘good’ for the users, but not in the overall context of how a site should be managed).
Despite the encryption of passwords, the hackers have managed to secure large amounts of data, including names, addresses, phone numbers and credit card transactions. Even if the users gave false email and username information, credit card transactions will be able to identify them.
It is also reported by the hackers that they were able to easily bypass the site defences and they claim that a root password was ‘Pass1234’. This allowed them root access to all servers.
Some ugly consequences of this breach may be wrecked marriages, lost jobs, and perhaps even more significant life changing moments, including suicide. There will also be litigation. However, perhaps the ugliest thing is that ‘ordinary’ (don’t judge) people entrusted their very personal information to an organization and that organization appears not to have adequately protected that information.
It is also alleged that customers have paid money to have all their information deleted but the company did not perform the deletion task. If true, this displays a lack of integrity from the site owners, as well as the other alleged claims against it.
Some industry experts have suggested that an insider may be involved. I don’t have enough information to comment on that, but I do know that an ‘insider’ can be either willing or unwitting. If the inside employee has been ‘bought’, there may be very little an organization can do about that, except to limit access and control to as few staff as possible. However, it is more likely that the insider was compromised without their knowledge. Previous blog posts have discussed how this can occur so I won’t repeat them here.
Would you like to find out more about how to help prevent data breaches? Give us a call and we’d be happy to discuss how to better protect your organization’s data.