Ashley Madison, an online dating service with the slogan “Life is Short. Have an Affair,” reports that the site has been breached and hackers have obtained personal data about the service’s millions of members.
The Impact Team, the name given by the group behind the attack, said they had stolen information on Ashley Madison’s 37 million members. The group has leaked a portion of the data and said it will release all if the site is not shut down, the New York Times reports.Avid Life Media, Ashley Madison’s parent company, tells users they can scrub their profiles from the site for $19. But the hackers say information is never actually deleted. Though members can use pseudonyms on the site, since most pay for services by credit card, the site has financial and actual personal information for members. On Monday, Avid Life Media said it had adjusted its policy for deleting user data but the company did not agree to the demand that it shut down the site. The company has launched an investigation, using “leading forensics experts and other security professionals to determine the origin, nature and scope of this incident,” according to the Times.
Since its founding in 2001, Ashley Madison membership has grown to 37 million accounts. Anyone 18 or older can join the site for free, using a pseudonym. Users pay fees when they chat and exchange photos, the Times reports. While any dating web site can be used for cheating, Ashley Madison explicitly advertises cheating as a goal, and this, along with not deleting information as promised, appears to have angered the hackers. Because of the site’s slogan, professional football and soccer teams have turned down Ashley Madison sponsorship offers and NBC and Fox rejected their Super Bowl ads.
Ashley Madison promises members that with the $19 “full delete” service all information is erased, but the Impact Team said this does not happen. Customers’ email addresses, usernames, passwords, birthdays and zip codes, along with their sexual preferences, have been exposed in the data breach, CNN reports. On Monday, Avid Life Media announced that the delete service would be made free for all members.
The Impact Team claims Avid Life Media received $1.7 million in revenue from the full-delete service in 2014, according Brian Krebs, a reporter who specializes in online security. Krebs published statements from the Impact Team on his blog, KrebsOnSecurity. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real names and address[es], which is of course the most important information the users want removed.”
Avid Life Media’s chief executive, Noel Biderman, called the breach a “criminal act,” and told Krebs that the hacker(s) “certainly had touched our technical services,” according to the Times. Krebs writes, “It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.”