Ashley Madison, the premiere dating website for married people looking to cheat on their spouse, experienced a major data-breach this weekend, and the hackers threaten release the private information for all 37 million of its users unless the website shuts itself down.
A group of hackers going by “The Impact Team” took the user information for all 40 million members on the Avid Life Media (ALM) network, which also includes Cougar Life and Established Men, according to Krebs on Security. The hackers have already dumped the bank account numbers and salaries of ALM’s employees onto the web, along with samples of user data selected at random.
The hackers threaten to release the complete cache of user data for Ashley Madison and Established Men—”secret sexual fantasies,” credit card numbers, and names and addresses—unless ALM agrees to shut down the two websites.
“We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online,” The Impact Team said, according to Krebs. “With over 37 million members, mostly from the U.S. and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
The hackers appears to have been motivated by Ashley Madison’s unscrupulous business practices rather than a desire to unmask cheaters. The website added a data-swipe feature that promised to clear all “personally identifiable information,” but the data was still stored on ALM’s servers.
“Full Delete netted ALM $1.7 million in revenue in 2014. It’s also a complete lie,” the hackers wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address.”
The hack of Ashley Madison comes two months after the hookup website Adult Friend Finder had their database breached and the information of 3.8 million users released on the web.
ALM said in a statement Monday morning that it was working with law enforcement agencies to track down the hackers, and made no hints of acquiescing to the blackmail.
Update – July 21st: Ashley Madison claims that it has choked off the distribution of the stolen data by sending DCMA (Digital Millennium Copyright Act) notices to the domain owners where the data is hosted.
“Our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online,” Ashley Madison said in a statement.
Ashley Madison clarified that the “full delete” option had always been the removal of a user’s profile and messages on the website, and not the removal of all PII.
In the wake of criticism that the $19 “full delete” option constituted an extortion of its members, Ashley Madison is now making the service free.