- Riots break out after a fake email about coronavirus went viral Thursday 8:59 PM
- Bloomberg edits debate clip to make other Democratic candidates appear speechless Thursday 7:50 PM
- Dad claims YouTube refuses to remove video of daughter’s murder Thursday 6:36 PM
- Video of Kanye leaving Kim in elevator to carry all their bags has people cackling Thursday 6:19 PM
- Orlando Bloom’s tattoo misspelled son’s name because of Pinterest Thursday 5:35 PM
- The Ahi Challenge is the latest dance taking over TikTok Thursday 4:40 PM
- Show criticized for putting rape victim in blackface to protect her identity Thursday 3:42 PM
- Woman becomes viral sensation after iconic ‘Shallow’ subway video Thursday 2:48 PM
- Prettyboyfredo tried to gift a bullied teen some $30,000 Nikes at school—he got detained Thursday 2:13 PM
- ‘Vanderpump Rules’ recap: Wedding bells and blows Thursday 1:50 PM
- A 16-year-old made a ‘meme guide’ to help her dad understand online trends Thursday 1:46 PM
- UCLA drops plans to use facial recognition after student pushback Thursday 1:07 PM
- ‘Star Trek: Picard’ recap, episode 5: ‘Stardust City Rag’ Thursday 12:56 PM
- Roger Stone sentenced to 40 months in prison Thursday 12:45 PM
- New The 1975 music video is full of memes you’ll love Thursday 12:28 PM
Ashley Madison CEO knew of potential security flaws, leaked emails reveal
Security flaws were evidently reported around the time of the hack.
On Friday, hackers going by the name Impact Team released more than 100,000 stolen private emails from the inbox of Noel Biderman, CEO of Avid Life Media (ALM), the Toronto, Canada-based company behind Ashley Madison and other dating websites.
An earlier data dump exposed as many as 33 million users of the adultery-themed site, making it one of the largest user data releases in history. The stolen databases included Ashley Madison usernames, street addresses, phone numbers, email addresses, partial credit card information, and more.
“I suspect it might be possible for a third-party website to determine whether a visitor has registered to use AshleyMadison.com, what their username is…”
The leaked Biderman emails show that on multiple occasions the CEO was contacted by security researchers who believed the Ashley Madison site could be hacked and its customers exposed.
In one email, an information security consultant who identified himself as Jayson Zabate from the Philippines contacted ALM about a security flaw in Ashley Madison.
“I recently browsed into your website [Ashley Madison], as with first instinct I tried to search for a flaw in your application,” wrote Zabate. “After a few attempts, I find security vulnerability on your website.”
Zabate inquired about a reward program for discovering bugs in ALM’s system. According to an email from ALM security chief Mark Steele, who was hired only a few months before the hack became public in July, the company had such a bounty program in place.
In a May 25 email, Biderman was contacted directly by another security researcher named Paul Mutton, who warned that hackers could potentially expose Ashley Madison user-registration data.
“I suspect it might be possible for a third-party website to determine whether a visitor has registered to use AshleyMadison.com, what their username is, and other details pertaining to their account. Interested?” wrote Mutton.
“Given our open registration policy and recent high-profile exploits, every security consultant and their extended family will be trying to trump up business,” Steele told Biderman in a same day email.
Steele added: “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing).”
More from the Daily Dot
- How to check who’s in the Ashley Madison leak without risking jail time
- I went undercover on Ashley Madison to find out why women cheat
XSS [cross-site scripting] and CSRF [cross-site request forgery] are security exploits used to inject malicious code into a website, potentially allowing hackers to harvest usernames and passwords, or even hijack user sessions, which could give hackers direct access to accounts without requiring a password. Such attacks are made possible due to mistakes within the code base and are most common in older Web applications.
In an email to Biderman the following day, Steele indicated that Mutton had yet to discover any flaws in ALM’s system, but he wanted permission to conduct penetration tests on the Ashley Madison website.
When Impact Team first revealed its hack of Ashley Madison, the hackers demanded that the site be taken offline due to allegedly dishonest business practices, including a $19 service that promised to completely delete paying users’ data from the company’s databases.
Failure to take Ashley Madison offline would trigger the release of user data and other company information, the hackers wrote—a promise they made good on last week.
While condemning Ashley Madison, the hackers apologized to Steele for breaking through the site’s security.
“Our one apology is to Mark Steele (Director of Security),” the hackers wrote in their manifesto. “You did everything you could, but nothing you could have done could have stopped this.”
“Our codebase has many … XSS/CRSF vulnerabilities which are relatively easy to find.”
Other emails revealed by Impact Team’s leak, uncovered by security reporter Brian Krebs on Tuesday, appear to show that ALM executives hacked a dating service run at the time by Nerve.com, an online culture news site, in 2012, to gain a competitive edge. And in 2013, emails discovered by the Daily Dot show, Biderman and other top ALM executives discussed paying off a former spokeswoman, who threatened to make public her allegations that a company vice president had sexually harassed her.
The spokeswoman, London-based sex expert Louise Van der Velde, demanded £10,000 ($15,686) to stay quiet, though it is unclear from the emails whether ALM paid her the money.
Velde refused to comment on the sexual assault allegations or the related emails. ALM has not returned our multiple requests for comment concerning the hacked emails.
As ALM coordinates with law enforcement agencies in the U.S. and Canada, many former users are preparing to mount legal cases against the company.
A class-action complaint was filed against ALM this week in the U.S. District Court for the Central District of California, alleging a breach of privacy and negligence. In St. Louis, a woman has filed a federal lawsuit claiming that she paid the company to delete her personal information, which was discovered in leak. And another U.S. class-action lawsuit is expected soon from the Dallas-based Schmidt Law Firm, which is accepting clients in all 50 states.
In addition, two Canadian law firms—Stutts, Strosberg LLP and Charney Lawyers—have filed a $573 million suit, which has reportedly drawn interest from over 1,000 Ashley Madison clients.
Jamie Woodruff contributed reporting to this article.
Illustration by Max Fleishman
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.