The Other Shoe Drops for Ashley Madison: Not Just Another Breach Dump

Blog Post created by todb Employee on Aug 19, 2015

Late last night in the US, we became aware that the threatened dump of Ashley Madison subscriber details finally came to pass, exactly 30 days after the attack was first announced. If you'd like to catch up, check the reporting here at The Guardian. Now that the data dump is available on the Internet, curiosity seekers, suspicious spouses, and zealous divorce attorneys would do well to avoid wasting too much time hunting for "one true and correct" Ashley Madison dump on their own. While there are already several fake dumps being circulated, the "real" dump from last night appears to be credible according to the few forensic experts who have looked at it. However, even in the "real" dump, the data is rather suspect, with fake profile information interleaved with "real" profile information.


For starters, it's trivial to set up a fake account on Ashley Madison, since Avid Life Media's  (ALM's) account setup procedures encourage, but do not require, an e-mail address to be verified by the user registering. Registering a fake address might be done for a variety of reasons from various actors, ranging from pranksters to bitter divorce rivals.


Second, the majority of "real" account holders tend to use fake, throw-away data and details, for obvious reasons. If some of those fake details happen to coincide with a real person, then it can create a sticky problem for that real person.


Finally, even if the real data is a real person, and that person really registered for the site, there is no indication in the data if that person was successful at, or even intending to, pursue an illicit affair.


One of the appeals of online dating sites -- especially niche services like the ones offered by ALM -- is the low bar to entry combined with the promise of anonymity. According to discussions on Reddit's various relationship and dating groups, Ashley Madison users, as well as users of other "edgy" dating services, appear to be just as likely to be fantasizing "tourists" as they are to be serious philanderers. For these people, the perceived anonymity and ease of signup, even without intent of follow-through, can spell trouble at home if (and in this case, when) that anonymity is blown.


Dating sites of all types are trusted with perhaps the most sensitive, personal data imaginable. Not only credit card payment information and personal identifiers such as addresses and phone numbers, but personal details that few people would be comfortable discussing in public. In addition, these particular datapoints are rarely, if ever, governed by established regulation or law, at least in the US and Canada. The breach is almost certainly a crime, but while it's still unclear how the breach at ALM's online properties occurred, I'm hopeful that CISOs around the world take securing customer data to heart in light of these events. This concern for user data needs to be internally driven, since going above and beyond compliance requirements is especially critical when those CISOs are entrusted with the emotional, psychological, and physical well-being of their customer base.


As security researchers and onlookers, we should also be mindful that this breach is not just another object lesson for CISOs. As with many breaches, this dataset can severely impact the real lives of real people, but this set goes beyond the normal health and and privacy concerns spelled out in compliance documentation. Some people are literally put in physical danger if their details are connected with Ashley Madison. Among the at-risk population include physically and emotionally abused spouses, people coping with sexual orientation, gender identity, and addiction and compulsion issues, and the children of people who are named, falsely or accurately, in the datasets.


I'm hopeful that some good can come from these developments, and hopefully the victims of this breach, like the Sony breach and the iCloud breach of last year, the people most affected and most at-risk make it through this uncertain period and we can all work harder at educating service providers and security professionals on how to best ensure a safe and stable Internet.


Update: ALM has released a statement regarding the breach and subsequent dump, here.

Update: Also, most credit card details are still safe.