The Impact Team published the Ashley Madison data on Tuesday last week and a second, larger dump containing source code and Avid Life Media internal email on Thursday. The thirty-day deadline expired and they kept their word. The first dump is approximately ten gigabytes of compressed data — customer database records, payment information, account profile fields, and metadata. The second dump runs to twenty gigabytes and includes, among other things, the personal email of CEO Noel Biderman.
The harm pattern that I worried about in July is now visibly under way. Within forty-eight hours of the first dump appearing on Onion mirrors, search interfaces appeared on the open web — sites that took the customer database and produced clean, indexed lookup interfaces by email address. The most prominent of those — haveibeenpwned.com, run by Troy Hunt — took the unusual decision to add the data but to require email-address verification before disclosing whether a given address was present (Troy Hunt's account of the decision). Most of the other lookup sites did no such thing. Within a week, three suicides had been publicly linked to the disclosure — two in the US, one in Toronto. The actual count is likely higher. The downstream extortion campaigns started in the first forty-eight hours and are continuing, with a clear template: identify a name in the leaked data, send a personalised email demanding bitcoin payment to avoid disclosure to a named spouse or employer, repeat at scale.
The technical content of the dump confirmed several things. The bcrypt hashing on the password column is, on inspection, configured with a work factor of 12 — strong by 2015 standards, and the credentials are reasonably protected. The other PII fields are not. The Full Delete service that customers paid nineteen dollars to use to remove their data appears, on the evidence in the database, not to have actually deleted user records — the relevant rows are still present, with a flag set to indicate paid-deletion status. The class-action exposure for Avid Life Media on the deletion-fraud question alone is going to be substantial.
The source-code dump is more unusual material. The internal applications — billing, customer support, the matchmaking and messaging logic, the bot infrastructure — are all there. Annalee Newitz's reporting at Gizmodo on the bot accounts (gizmodo.com) is grounded in the source: the database flags female accounts versus bot accounts, and the source code that drives messages from bots to paying male users is present and readable. The implication for the company's representations to its users is severe.
The vCISO conversations this week have shifted in a particular direction. Three customer organisations have come to me asking how to handle the exposure of their employees in the data — corporate email addresses appear in the dump, including some at recognisably governmental and defence-industry domains. The HR-and-security crossover question — who should the company tell, what should the company do with the information, what is the line between protecting the employee and addressing organisational risk — is one that I have not had to advise on at this volume before. My current guidance is that the appearance of an email address in a leaked database is not, by itself, evidence of misconduct (email addresses can be entered by anyone, the verification on signup was minimal), and that any HR action without independent evidence of the underlying conduct is both ethically dubious and legally exposed. The right action is generally to do nothing absent specific cause; the wrong action is to scan and act.
For the SOC, the operational work of the past two weeks has been threefold. First, monitoring extortion attempts against customer-organisation email addresses — we have observed several, all variations on the same template, and we have collated the pattern for the customer security teams. Second, education advisories to the customer-organisation user populations on how to recognise extortion attempts and where to report them. Third, watching for downstream incidents where exposed individuals are targeted with spearphishing on the basis of leaked profile content, which is a class of attack that becomes possible when the threat actor has a great deal of personal context on the target. We have not seen the second pattern yet at scale, but I expect it.
The thing that stays with me is the design decision at the heart of the Avid Life Media business. Customers paid the company to keep secrets. The company then designed an architecture that did not, in any meaningful sense, keep the secrets — the database was accessible internally, the deletion service did not delete, the customer assurances were not technical realities. The disclosure of the data has produced harm to the users that is direct and quantifiable. The company will be sued, regulated, and possibly criminally prosecuted, and several individuals are dead. The technical-architecture decisions matter morally, not just operationally. That is not a new thing to say but I want to keep saying it.