The story of the Ashley Madison hack continues to twist and turn.
Aside from the initial hack and subsequent distribution of the Ashley Madison user database (complete with millions of unverified email addresses), the hackers have also released further files from inside Avid Life Media, the company which owns the now infamous adultery website.
Amongst those files were leaked emails between the company’s CEO Noel Biderman and CTO Raja Bhatia, which appear to discuss a security hole on a competing dating site. nerve.com.
The email exchange, from November 2012, appears to show Bhatia describing how he was able to exploit the security hole to gain access to nerve.com’s database:
“Was researching the casual dating space as it’s been on my mind. I remembered Nerve relaunched with a slick site and did a little digging into how it worked. They did a poor job of auditing their site. Have access to all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login, fraud risk profile, who they blocked or are blocked from, photo uploads, etc.”
As Motherboard reports, a later email exchange between Raja, Biderman and another member of company staff appears to show more details of what could be achieved by exploiting the “huge security hole”:
“I got their entire user base. Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Included in the email was a link to an account on Github, which appears to show the stolen details of a Nerve user.
In short, it appears that the people tasked with keeping the Ashley Madison database secure were themselves spending time uncovering holes and exploiting vulnerabilities on a rival’s dating website.
And, it has to be said, that if what is claimed in the emails is true, the unauthorised access of another company’s computer system would be considered an act of criminal hacking.
Perhaps Ashley Madison should have got its own house in order before looking for the security weaknesses in others?
Separately, no-one who is unfamiliar with how things work in the United States will be surprised at all to hear that a class action suit has been filed against Ashley Madison’s owner Avid Life Media, on behalf of a man who claimed that the company was guilty of negligence which resulted in his privacy being invaded and emotional distress.
The man, named as “John Doe”, claims that the company could have prevented things getting so bad by taking reasonable precautions to protect user information.
It remains to be seen whether the case against Ashley Madison will stand up in court, but there seems little doubt that those exposed by the massive data leak could be distressed and under a great deal of stress.
Yesterday, at a Toronto Police news conference, law enforcement officers briefed journalists on “Project Unicorn” – the investigation into the hack – and shared the disturbing news that two people whose information had been included in the leaked database appeared to have taken their own lives.
Of course, it’s too early to say at this stage whether the deaths were connected to the breached database – and, as I’ve said in a separate article, great care needs to be taken about how apparent suicides are reported.
Avid Life Media is offering a reward of 500,000 Canadian dollars to anyone who provides information that might lead to the identification and prosecution of those involved in the Ashley Madison hack.