Sextortion accelerates as Ashley Madison data gets a new lease of life
“I know everything about you. I even know that you ordered some… lets [sic] call them ‘male assistance products’ online…” begins an email received by an individual in the early months of 2020.
“Do your friends and family know you have been buying these aids?” the Sextortionist asks as they continue to threaten the recipient with ‘exposure’ of their intimate secrets. So far, so normal for this kind of spam.
But then, toward the end of the message, the spammer reveals that they’re using records obtained from the 2015 breach of Ashley Madison, the online dating site for people seeking extra-marital affairs. The site’s simple, but apparently winning strapline was, Life is Short. Have an Affair. And millions did. Though, it turned out, a large number of the supposedly eager women whose profiles appeared on the service were actually bots designed to persuade men to pay for ever higher levels of communication with potential dates.
In the summer of 2015, a hacker group called Impact Team decided to take down Ashley Madison (owned at the time by Toronto based company, Avid Life Media) and expose their lax security. Ashley Madison’s high-profile CIO had been proclaiming that the site had amazing security because, as he put it, “It’s not lipstick on our collars anymore getting us caught, it’s digital lipstick; voicemails, text messages [etc.]” He reassured the site’s users that he’d personally built ‘custom-tailored tech to keep the data safe.’ The site offered a guarantee that if a user wanted to delete their profile and accompanying data it would be totally and irrevocably erased for the small fee of $19.
Impact Team revealed that to be a scam. And they were angry. So, they hacked into Avid Life Media’s databases (which was easy because entire vital passwords had been written using plain text into the actual source code of the company’s operating systems!) and stole the email and postal addresses, telephone numbers, passwords, profile information, and messaging activity from interactions with other users (bots and people), and released it all, affecting 37 million users.
Sex, fibs, and bots
Nothing was what it seemed, and everything was what it seemed. The bots were pretending to be human. Most of the users were deceiving their partners, and Ashley Madison was being economical with the truth with… well, everyone. The ‘custom-tailored’ security was patchy, at best, and the $19 deletion fee didn’t really work because the credit card number used to pay it was stored alongside the other user details, which were not erased in their entirety.
The hackers had a single aim: humiliate Avid Life Media, Ashley Madison, and its CIO. The problem was that, by doing so, they also harmed ‘innocent’ users. The press at the time did not think that the users deserved much sympathy; they were, after all, ostensibly deceiving their partners. Impact Team hoped to put Ashley Madison out of business.
But the attack didn’t turn out the way they expected. Avid Life Media was sued in a class action by a group of users (many of whom dropped out after a judge ruled they had to use their real names to take part), and the company ended up paying a $11.2 million settlement. They also paid $1.7 million to the Federal Trade Commission in the United States in a settlement for pursuing ’unfair and deceptive’ practices. That is, not completely erasing data despite charging a fee for doing so and, bizarrely, for loading over 70,000 female bots on the site.
No such thing as bad publicity?
It’s often claimed that a data breach will ruin an organisation’s reputation, but in the case of Ashley Madison, it had the opposite effect. In the short term, revenue dropped by around 10%, but then, once the site had been sold to a new owner, the number of users began to rise again and, quite quickly, exceeded the 2015 total. It seems that many people around the world did not realise that there was such a service, and eagerly signed up. Clearly, they were hoping that the brand had learned its lesson from the Impact Team hack and security would be better.
The corporate fallout might not have been as bad as executives feared (though the bombastic CIO was fired), but the personal fallout was severe. During 2015 and 2016 there were many scams and threats targeted at names which appeared on the original 37 million strong list. It’s reported that there were some suicides, and many divorces. As cybersecurity scholar Josephine Wolff stresses, the effects of a breach cannot be measured in business or commercial terms alone. Data must be protected because people’s livelihoods, relationships and, ultimately, their personal safety could be at stake.
Old data breaches can come back to haunt you
Sextortion is one of the oldest professions in cybercrime. Spammers send out millions of emails claiming to have caught you ‘having some fun, yes?’ on pornographic sites. They then threaten to release video of ‘naughty but nice eh?’ sessions to all your contacts. Mostly, it’s just random. But the resurgence of Ashley Madison data is worrying. It reveals that stolen credentials and personal details can circulate for years on the dark web and surface when individuals least expect them to. You can’t dictate morality online. If someone decides to sign up for an infidelity service that’s up to them. They still retain the right to privacy, especially if the service guarantees it, and especially if it charges for it.
What’s instructive about the Ashley Madison case is that protecting data is vital not just because its loss could cause immediate harm to a business or organisation, but because it might come back to haunt individual users long after any court cases, or short-term financial hits suffered by corporates, are over.
Nothing really ever gets deleted on the Internet, and so it’s vital that data, especially personal data, is protected at all costs. Life is Short. Don’t get hacked.
 You’ll See This Message When it’s Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches By Josephine Wolff MIT Press 2019