Unlike the perpetrators of the Sony and Hacking Team doxing attacks, who uploaded stolen data to Pastebin, the attackers who compromised online hook-up site Ashley Madison dumped data on the dark web — which is only accessible via the Tor anonymization network. The dark web is someplace the average Internet user never goes, but a great deal of criminal activity takes place there, including child exploitation and assassins for hire.
Could this mean that the Ashley Madison attackers were deliberately trying to put the stolen data in the hands of people who would use it for blackmail? Robert Hansen, VP of WhiteHat Labs for WhiteHat Security doesn’t think so.
“The hackers don’t seem to be interested in blackmailing individuals,” says Hansen. “It’s more likely they just wanted to do everything over Tor.”
Regardless of the attackers’ intentions, Trustify, an online private eye service, has indexed the email database and created a site where people can plug in an email address and check whether or not it was among those leaked.
According to Hansen, the data dump includes 28 million unique email addresses. The lion’s share use webmail providers — topping the list are Gmail (8.77 million emails listed), Yahoo (6.62 million), and Hotmail (6.24 million). However, Hansen also found 13,000 .mil and .gov addresses, as well as a variety of corporate domains, including sizeable clusters from Microsoft, Apple, Cisco, Bank of America, and BP.
“I have found a bunch of fake entries in here, so all of this data should be taken with a grain of salt,” says Hansen. “It doesn’t appear that they normalized or even checked to make sure the emails were valid before storing them in this database. So, Barack Obama is in here under a dozen different emails as an example, as are a lot of others that are clearly incorrect.
“Even the allegations could ruin people’s lives and careers,” he says. “This is just a great example of how personal data becomes a liability for companies unless they can guarantee safeguards.”
“This does open the door for blackmail,” says Stephen Coty, chief evangelist at Alert Logic. “The fact that some companies have made [the stolen data] searchable to drive traffic to their websites just means that it will take the wind out of blackmail. If your spouse or significant other can easily search for this data on one of the many sites, then the effect of blackmail really isn’t an issue because they already know you were a member.
“Now there is the issue,” says Coty, “of all the profile data and credit card transaction which would reveal the actual content and desires from their profile and the charges that were made to a credit card that maybe the significant other was not aware of might still be used. Just because you had an email address on the site does not mean that you participated, but the profile and credit card transactions might show otherwise.”
“Undoubtedly, many of the emails and domains now published to the Dark Web are fake, but site users can’t run from the credit card information,” says Jason Polancich, founder and chief architect of SurfWatch Labs. “The Ashley Madison site required it and, like everyone else, ties it directly to the individual user. This is a good reminder – the web is not anonymous. Credit card payments are not anonymous and this is a big flaw that banks are dealing with now. Attacks such as these will likely be a boost for Bitcoin and others like it. Times are changing and credit card privacy issues need to be solved. And I guarantee that won’t be accomplished with just Chip-and-PIN.”
The attackers stuck ALM between a rock and a hard place: they could either shut the site down voluntarily or continue business as usual, wait for the attackers to leak the database, and see if that killed the business.
“The Ashley Madison breach paints a clear picture of how a single breach can be the death of a company,” says Carl Herberger, VP of security solutions at Radware. “If this isn’t a very loud wakeup call for any company with a business model that relies on user data and e-commerce, then I would struggle to figure out what is. Online businesses cannot successfully exist without the highest security precautions and protocols and keen prowess at operational secure discretion. A hack of this magnitude can happen to any organization, and it’s time for the enterprise to assume that it will, and make the necessary plans to navigate through that eventuality and come to terms of all of the key steps required to avoid it.”