Ashley Madison, the world’s most open-minded online dating site, has been in the news since July 2015 when Ashley Madison was the victim of a criminal hack.
An anonymous, sophisticated hacking group known as the Impact Team claimed responsibility for the Ashley Madison hack. When the company refused to meet the hackers’ demand to shut down Ashley Madison, the Ashley Madison hack attackers posted stolen company information on the dark web.
Cyber security detectives from around the globe were called in to investigate the Ashley Madison hack and the company offered a $500,000 (Canadian) reward for any information that would lead to the hackers arrest.
A year later, after intensive investigation into the Ashley Madison hack, the identity of the Ashley Madison criminal hackers is still unknown.
Once inside Ashley Madison, the investigators speculate that the Ashley Madison hackers covered their tracks through a sophisticated hacking method that allowed them to erase log-ins and evade and override detection technology safeguards.
Investigators speculate the Ashley Madison hackers systematically downloaded the Ashley Madison database over a period of time until they were ready to release the Ashley Madison data on the dark web.
Cyber Security specialists hired by Ashley Madison following the hack to perform a security review of millions of lines of code and implement new Ashley Madison security safeguards, suspect that the Ashley Madison hackers (and other hacking groups who claimed responsibility for recent high profile hacks on other companies) were able to create hidden backdoors in company servers to allow imperceptible re-entry. According to hacking experts, this is a common technique used in most criminal hacks.
- July 12, 2015Ashley Madison operations team members interrupt an unauthorized user export and shut down and disable remote access to Ashley Madison production systems. The breach triggers Ashley Madison’s security incident response process.
- July 13, 2015An Ashley Madison customer service representative logs into a desktop system and discovers a message from the Ashley Madison hackers, threatening to release stolen Ashley Madison lists and databases. Contrary to popular belief, the song Thunderstruck by AC/DC did not accompany the message from the Ashley Madison hackers.The Ashley Madison operations team members shuts down all at-risk systems in the corporate network and contacts an international security incident response team, according to its security incident response protocols. Cyber security experts are on-site immediately and proceed to determine the scope of the Ashley Madison hack.
- July 15, 2015Security blogger Brian Krebs breaks the Ashley Madison hack story.
- July 19, 2015Ashley Madison hackers publish a warning message and lengthy hack Manifesto on Pastebin.com. The hackers offer a 30 day window for the company to shut down the dating sites Ashley Madison and Established Men.
Excerpts from the Ashley Madison hackers Manifesto:Welcome to your worst fucking nightmare.We are the Impact Team. We have hacked them completely, taking over their entire office and production domains and thousands of systems…Avid Life Media has been instructed to take Ashley Madison offline permanently in all forms.This is your last warning.
- July 20, 2015The company issues two statements acknowledging the Ashley Madison hack and announces a joint investigation with cyber security law enforcement hack experts, including the Royal Canadian Mounted Police, the Ontario Provincial Police, Toronto Police Services and the FBI.
- August 18, 2015The Ashley Madison hackers release a now infamous post titled “Time’s Up!” on Pastebin stating that because Ashley Madison was not shut down, “Now everyone gets to see their data.”The hackers publish the first stolen Ashley Madison hacked data lists. The hackers specify that “Any data not signed with the key 6E50 3F39 BA6A EAAD D81D ECFF 2437 3CD5 74AB AA38 is fake.”Avid Life Media issues a statement detailing its investigation and encouraging anyone with information on the Ashley Madison hack to come forward.
- August 18 and 19, 2015Experts confirm the data dump is Ashley Madison hacked information.
- August 20, 2015The Ashley Madison hackers release a second dump of Ashley Madison data, containing nearly 20 gigabytes of internal data. A 13 gigabyte file of stolen company information is found to be corrupted, so the hackers replace it with the release of a new 19 gigabyte file.
- August 21, 2015In an interview, the Ashley Madison hackers claim to have stolen more than 300 gigabytes of hacked Ashley Madison information.
- August 23, 2015The Ashley Madison hackers continue to dump stolen Ashley Madison information.
- August 24, 2015A Canadian Class Action Lawsuit is filed against Ashley Madison.
- August 24, 2015Following an announcement from Toronto police, Ashley Madison offers a $500,000 bounty for information leading to the arrest of the Ashley Madison hackers.
- August 28, 2015The company’s CEO at the time, Noel Biderman, resigns from the company, following the Ashley Madison hack. In a statement the company says the resignation is “in the best interests of the company.
- August 31, 2015The company reports that even though Ashley Madison was hacked, new users continue to sign-up for Ashley Madison.
- September 2015 to Spring 2016Ashley Madison implements a full-scale hack remediation program; enhances its internal Information Security expertise; implements 24/7 security monitoring and invites world-leading experts to help the brand implement an ongoing program of Ashley Madison security enhancements.
- April 11, 2016Avid Life Media appoints a new CEO and President who announce a new direction for Ashley Madison, confirm the company’s ongoing investments in privacy and security as part of its Ashley Madison post-hack recovery plan.
- July 5, 2016A year after the Ashley Madison hack, Avid Life Media rebrands as ruby Corp. and introduces new open-minded marketing for Ashley Madison. The company drops its pre-hack tagline: Life is Short. Have an Affair and replaces it with Find Your Moment. Ashley Madison changes its infidelity-only marketing focus and introduces a new TV campaign that airs in the USA, Australia, Canada and the UK. View the ads: www.findyourmoment.comAshley Madison begins offering new discreet payment options, including Skrill and Paysafe Card.
- August 23, 2016The summer after the Ashley Madison hack, ruby voluntarily enters into a Compliance Agreement with the Office of the Privacy Commissioner of Canada (OPC) and an Enforceable Undertaking with the Office of the Australian Information (OAIC).“We hope that by openly speaking about the Ashley Madison hack and our commitments to the OPC and the OAIC, we can help other organizations and business leaders who are facing increased cyber security challenges,” the company said in a news release.“ruby continues to make significant, ongoing investments in privacy and security to address the constantly evolving threats facing online businesses like Ashley Madison. These investments are at the cornerstone of rebuilding consumer trust in Ashley Madison over the long-term.”
The key Ashley Madison post-hack security commitments set out in the compliance agreements include:Security
Personal Information & Delete
- An Ashley Madison privacy review was completed in December 2016.
- After months of intensive work following the Ashley Madison hack, the company is in the final stages of further augmenting its Ashley Madison security framework.
- The company has mandatory security and privacy awareness training for all employees and an ongoing Ashley Madison post-hack security enhancement process is in progress.
Personal Information & Delete
- No later than March 31, 2017, the company will update its practices related to the retention of personal information of Ashley Madison users who are inactive or have deactivated Ashley Madison accounts.
- The company will continue to provide a no-cost option for individuals to request deletion of their Ashley Madison account profile information. The company has been offering free Ashley Madison account deletion to members since September 2015
According to the company, it has already implemented many new security measures since the Ashley Madison hack.“Today’s news confirms the company has proactively made important changes since last year’s Ashley Madison hack. These agreements are our ongoing commitment to privacy and security investment — and to open, transparent communication with Ashley Madison members,” the company said in a news release.
- By Spring 2017, the company will either amend its Ashley Madison account creation process to allow users to join Ashley Madison without providing an email address, or implement measures to enhance the accuracy of email addresses.
- September 2016PCI-level 1 ComplianceFollowing the hack, in Fall 2016, Ashley Madison earns PCI – Level 1 compliance status for Ashley Madison credit card payment processing.PCI-Level 1 compliance is an in-depth security and privacy protocol that covers 12 key areas - from firewall configuration, to password storing, encryption and securing cardholder data. The program requires an annual audit and adherence to ongoing post-hack Ashley Madison security enhancements and improvements.
- October 27, 2016ruby appoints the former Interim Privacy Commissioner of Canada, Chantal Bernier, as its Special Privacy Advisor to ensure the company continues to evolve and improve its Ashley Madison post-hack member privacy safeguards.
- The first Ashley Madison hacked data dump was posted to the Dark Web using an address accessible only through the anonymous Tor network.
- According to news reports, passwords released in the hacked Ashley Madison data dump, appear to have been hashed using the bcrypt algorithm for PHP.
- Since the time of the Ashley Madison hack, many other companies and organizations have experienced hacks that surpass the Ashley Madison hack in size and scope, but the Ashley Madison hack continues to fascinate cyber experts, white hat hackers, journalists, documentary filmmakers and security information experts the world over.
Is the term used when a system is hacked.
Criminal attacks committed via the internet, including hacks like the Ashley Madison hack, identity theft and cyber espionage.
Ashley Madison hackers released stolen data via Bit Torrent, a communications protocol of peer-to-peer file sharing, which is commonly used to share large files. In the case of the Ashley Madison hack, hackers released more than 25 gigabytes of data using Bit Torrent.
Tor is free software for enabling anonymous communication. The name is a nod to the original software project name The Onion Router. Ashley Madison hackers shared stolen information on the Tor network to ensure anonymity. Tor encrypts data multiple times through a path of more than 7,000 relays, making it virtually impossible for cyber experts to track the Ashley Madison hackers.
Pretty Good Privacy or PGP is a program used by the Ashley Madison hackers to authenticate their stolen Ashley Madison database dump with digital signatures and encrypted stored files.
The hacking group which claimed responsibility for the Ashley Madison hack.
Bycrypt is a password hashing function that was used by Ashley Madison engineers to securely store data. Bycrypt creates a shadow hash, so the user’s password itself is not stored and before the Ashley Madison hack, was widely considered an industry best practice.
A common hacking technique that causes a site’s back-end SQL databases to spill data. Experts do not believe this is how the Ashley Madison hackers breached the system, saying there was no indication of software vulnerability being exploited during the Ashley Madison hack.
(denial-of-service) a hacker makes a network unavailable by flooding its servers with numerous requests to users so that they can access confidential internal information from their servers.
(distributed denial-of-service) the most serious kind of DOS attack, where the attacker accesses the network from numerous IP addresses making it impossible to track the actual perpetrator.
Encoding messages or commands so that only an authorized party can access them. Access can be through a key as in the Ashley Madison hackers release of information, and is applied to any internal data networks, in storage, or data being sent (in transit).
The study and practice of creating secure communications codes and cracking those codes, in the case of hacking groups like the Ashley Madison hackers.
The details of a website page. Commands to tell the internet how to display and read your page, written in human-readable text through a number of different programming languages. During the Ashley Madison hack, hackers released thousands of lines of Ashley Madison source code, creating a daunting challenge for Ashley Madison engineers and security experts.
A collection of related data, organized and managed through a database management system that structures how data is accessed and updated. During the Ashley Madison hack, Ashley Madison database was a top search.
Following the Ashley Madison hack in 2015, there were a record number of hack attacks on organizations around the globe.
Here’s how the Ashley Madison hack compares to other high profile hacks:
During the Ashley Madison hack attack, a few top searches included:
- Ashley Madison hack
- Ashley Madison list
- Ashley Madison hack search
- Ashley Madison database
- Ashley Madison wiki
- Ashley Madison hack list
- Ashley Madison hack list PDF
- Josh Duggar
Possible charges facing the Ashley Madison hackers, according to Toronto Police Services:
Theft, because much of the hacked Ashley Madison data is proprietary
Mischief to property, a charge under the Criminal Code for obstructing, interrupting or interfering with lawful use enjoyment or operation of Ashley Madison’s database and property
Mischief in relation to hacking Ashley Madison computer data
Criminal harassment of the company, based on the manner in which the hacked Ashley Madison data was released by the hacking group
Because the Ashley Madison hackers released stolen data from 40 countries, law enforcement experts say charges could be laid in almost any country.
Where the hackers were when they carried out the alleged hacking offences would also determine where charges would be laid.
Update on the Ashley Madison Hack Investigation
As of November 2016, the Ashley Madison hack case remains unsolved and detectives on the case have not reported any new leads about how hackers pulled off the breach against Ashley Madison.
According to news reports, the server that was used to host the leaked file containing emails of Ashley Madison’s former CEO was operated by a Dutch Internet service provider.
News reports have identified 22.214.171.124 as the alleged box used in seeding the torrent, however the Ashley Madison hack case still remains unsolved.
Ars Technica reported that police were trying to perform a forensic analysis of the physical server to determine how the server was accessed – and may be able to collect clues from the IP address used to log into the box.
The Ashley Madison $500,000 (Canadian) bounty for information leading to the arrest of the Ashley Madison hackers is still being offered by ruby Corp. -- the parent company of Ashley Madison.
Anyone who has information about the Ashley Madison hack can contact Toronto Police Services at:
- Network Interruption
- Denial of Service
Experts and law enforcement believe the motivation for the Ashley Madison hack was related to hacktivism, which accounts for about 25% of all hacks
- 62% Cyber Crime
- 25% Hactivism
- 10% Cyber Espionage
- 3% Cyber Warfare
After the hack, Ashley Madison revamped and reimagined its security program, reviewing millions of lines of Ashley Madison code, enhancing its (internal and external facing) security infrastructure and teaming with world leading security experts to craft a continuous security monitoring program of Ashley security updates and post-hack privacy enhancements.
In August 2016, Ashley Madison updated its website with security and privacy information to help users protect their privacy and safeguard their personal information.
Before you sign-up at Ashley Madison, create a separate free email account to use just for Ashley Madison. Don’t use your personal or work email address if privacy is a concern when using Ashley Madison.
During the Ashley Madison hack, it was revealed that some Ashley Madison members created user names that were easily identifiable. Choose an Ashley Madison profile name that does not ID you in any way like Romantic_at_Heart.
Be cautious before sharing any personal details with people you meet on Ashley Madison and other social networking sites.
Ashley Madison security experts who were brought in following the hack recommend creating a strong, hard-to-hack Ashley Madison password that contains a mix of letters, numbers and symbols.
To avoid being hacked on any site, never disclose your password to anyone. Ashley Madison will NEVER ask you for your password – either via email or telephone.
Keep browsing on Ashley Madison private by opening the incognito window in your Google Chrome browser when you visit Ashley Madison. If you use Safari or another browser, delete cookies and browsing history after each visit to Ashley Madison. Though it’s tempting, to guard against hackers don’t use the auto-remember password feature for Ashley Madison or any site.
Ashley Madison is one of the world’s most famous and largest online dating communities. As with all of the world’s most popular websites, scammers and would-be identity hackers sometimes send fake emails posing as our customer service. Ashley Madison never asks for personal information via email or instant message.
To guard against hacks, be suspicious any time you receive:
- An email message, text or phone call asking about your personal financial, social networking information or Ashley Madison account.
- An email that requests you to “click here.” Hover your cursor over the link without clicking. If the URL link is legitimate, you will see a domain name that matches the company name – https//www.ashleymadison.com
- If the URL doesn’t match the company name, it’s a phishing email from a scammer.
Reputable senders like Ashley Madison usually have a verifiable 1-800 telephone number on their emails. Check that the 1-800 number is legitimate through a web search or call the company directly if you are concerned.
Remember, if you receive an email from Ashley Madison asking for personal information, it’s a scam. Hit delete or block. Ashley Madison will never ask for personal information through email or text.
Before it was hacked, Ashley Madison was launched in 2001 in Toronto, Canada. The name Ashley Madison was created by combining the two most popular names for baby girls at the time.
Originally, and at the time of the hack, Ashley Madison was focused on infidelity dating and marketed under the tagline: Life is Short. Have an Affair. Since the hack, Ashley Madison has repositioned and rebranded to focus on open-minded dating and has a new tagline: Find Your Moment.
Following the Ashley Madison hack, the site was ranked as the 408th most visited site in the USA by Similar Web, with nearly 75 million monthly visitors.