A number of security researchers are confident that the latest dump of personal information allegedly of customers using dating sites owned by Toronto-based Avid Life Media — including Ashley Madison — is legitimate.
The data, over 30 million accounts released Tuesday on the dark Web, follows up on the threat by attackers on July 19 to reveal subscribers unless Avid Life shut two of the sites. The attackers, who dub themselves The Impact Team, justified the threat in part by claiming most of the subscribers weren’t real and that Avid Media was wasting people’s money by charging them $19 to remove personal subscriber information.
Avid Media hasn’t verified yesterday’s data release of stolen data is accurate, only saying in a statement that it is investigating. But Robert Graham of Atlanta’s Errata Security said in a blog this morning that he has verified that some accounts are legitimate.
“However,” he adds, “glancing through the data, it appears that a lot of the accounts are bogus, obviously made up things for people who just want to look at the site without creating a “real” account.” In addition, the overwhelming number of subscribers were men: 28-million men to five million woman, according to the “gender” field in the database. And there were only male names on the credit-card transactions.
Exactly how many subscribers will be embarrassed/caught by the data release isn’t clear. As Graham notes, a lot of the accounts appear to use phoney names, and while there is credit card transaction data full credit card numbers aren’t there. Security Week’s Eduard Kovacs also points out that email addresses weren’t verified, so a subscriber could have created one just for use on an Avid site that doesn’t tie back to a real person.
Almost all the records appear to be protected with bcrypt, Graham also pointed out, adding this “is a refreshing change. Most of the time when we see big sites hacked, the passwords are protected either poorly (with MD5) or not at all (in “clear text”, so that they can be immediately used to hack people). Hackers will be able to “crack” many of these passwords when users chose weak ones, but users who strong passwords are safe.”
Avid Media appears to be willing to carry on business, declaring in it’s most recent statement that the attack “is not an act of hacktivism, it is an act of criminality.”
However, one security expert told Security Week that as a Web site that appealed to those willing to have extra-marital affairs, Ashley Madison relied on the promise of keeping subscriber information confidential. “This is an organization whose entire business model depends on trust, anonymity and discretion,” he is quoted as saying. “To use anything less than the most state-of-the-art insider threat detection capabilities is to flirt with disaster, and with its user base now exposed to the world, it’s hard to imagine the company will be able to survive much longer.”