What I learned from the Ashley Madison breach

101269359-Untitled-2r.530x298

Unless you’ve been living under a rock for the last month or so, you have heard about the massive data breach that Ashley Madison suffered recently.

Here’s how the story goes :

  • 30 days ago a group called Impact Team promised to disclose information stolen from the world’s largest cheating website, Ashley Madison. The website’s slogan is “Life’s short. Have an affair.”
  • 4 days ago, the hacker(s) delivered on their promise – with a huge data dump almost 10 GB in size. This dump included all sorts of customer details such as emails, user profiles, financial transaction information, location data and more.
  • 2 days ago, the hacker(s) dropped another data dump – almost twice the size of the initial dump – but this time, the information was internal to the company: emails (including the CEO’s), source code, and other internal data.

I’ve been following the action, and here’s what I learned from this breach:

Passwords were hashed using bcrypt. If your data was in the data dump, it’s OK because because Ashely Madison used bcrypt (instead of MD5, or worse – plain text) to salt-and-hash the stored passwords so your password is safe from being cracked!

Ashley Madison followed some decent practices. They used bcrypt to hash passwords. They stored passwords and email addresses in separate tables to make stealing them a bit harder. They used tokenization to avoid storing full credit card numbers. This prevented this breach from becoming a massive credit card breach a la Home Depot or Target.

The vast majority of users are actually men. Ashley Madison used to claim in its promotion that 50% of its users are women which turned out to be a complete fabrication.  Which makes you wonder how (or if?) they were planning to disclose this in their upcoming IPO.

A single breach can be the death of a company. If your online business model relies on user data and ecommerce, and you don’t actively take the highest safety precautions and implement and continuously monitor and improve good operational security practices, then you are setting yourself up for failure.
UPDATE [Aug 22, 2015]: A $578M class-action lawsuit has been filed by two Canadian law firms against Ashley Madison.

Magnet links for both dumps are available on the deep web using Tor. I’m not sure if the the hackers only posted their links on the deep web for anonymity, or simply because they wanted to use Tor – but the links were initially only made available using .onion links. The dumps themselves were distributed via BitTorrent.

Our community’s reaction to this as information security practitioners. It seems that we in the InfoSec community collectively lost sight of what happened here, in our quest for a moral crusade. I’ve heard everything from “these cheaters are scumbags that deserve to be exposed”, to “it’s a disgusting company and it deserves all of this” but the fact remains that:

  • This WAS a criminal act.
  • The users – reprehensible or not – are the victims here. Millions of people have had their data exposed and will have to deal with the consequences of this act.

 

It still remains to be seen how this will unfold for Ashley Madison with the newly launched lawsuit against them, and the (still unfolding) fallout from this breach.
I personally don’t see Ashley Madison surviving past the end of the year.