Ashley Madison – passwords leaked
As you may know, the passwords of the “Have an Affair” site, Ashley Madison have been leaked; which is another 37 million passwords available for password cracking. Crackers go easy – as the divorce lawyers will utterly destroy the lives of these guys when they get hold of the data. So how did this happen?
**Update 19th August 2015 – Full Ashley Madison passwords have been leaked**
- 10 GB Password dump – on Piratebay.
- 20 GB Company data Dump – 2nd Dump
This included a full domain dump of corporate passwords (NTLM hashes) of the Windows domain of the company, PayPal accounts and passwords for the company, internal only documents, and a ton more. The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more. This is much more problematic as its not just a database dump, this is a full scale compromise of the entire company’s infrastructure including Windows domain and more.
There’s decrypted snippets of member names, addresses and dollar amount spent. Use a PRIVATE search engine, like http://www.startpage.com and look for:
Ashley Madison says the dumps are fake.. but as they specialise in having affairs, telling the truth isn’t their strong point.
**Have I been hacked**
Put your email in here – they’ve added the Ashley Madison emails to their databases.
Here’s what the Impact Team had to say:
- -Ashley Madison advertises “Full Delete” to “remove all traces of your usage for only $19.00”
- -It specifically promises “Removal of site usage history and personally identifiable information from the site”
- -Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie.
- -Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.
So what issues immediately come to mind upon seeing the data?
Fact 1 – Ashley Madison did not enforce secure passwords.
A bank would enforce a 14 character password. Considering the danger of sexual orientation and sexual preferences leaking into the public domain, highly secure passwords ought to have been enforced.
Here’s an excerpt of AM’s passwords.
Not great is it? Not a complex password in sight. This raises fundamental questions regarding their risk assessment.
Fact 2 – European Clients have Data Protection rights.
Ashley Madison had one million UK clients. That means it must operate under EU law, which states:
The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data... (art. 12).
Opps. So Ashley Madison have fallen foul of the right to be forgotten.
Zero Knowledge Privacy
Basically any site seriously interested in discretion, would have implemented “zero knowledge”. Zero knowledge is clearly not the guiding principle of the site, especially as they are charging to delete information.
There are several issues here… surrounding “Accountability”, even after you have paid for deletion. What if they do not delete your data? How can you sue them, without your wife finding out? Do they have to keep the credit card payments on file for several years? See the problem ?
Background reading on Zero Knowledge privacy can be found here:
All sites that retain data on their users that can destroy their reputation or marriages, should implement cast iron levels of both security and privacy.
After discovering an affair, any decent divorce lawyer would take your home and pension. The risks are so great, that super secrecy is needed, to bypass court orders.
If you run a website like Ashley Madison, then protecting your clients has to be your number one priority.
Deleting sensitive data should be both Automatic and FREE.
The Zero Knowledge Doctrine would make economic sense here. Finally, a giant thank you to Ashley Madison for providing another 37 million passwords for crackers.
And I’m sure the EU will be asking some hard core questions anytime soon. Hard core.. gedit?