- ‘Arrested Development’ ends the same way it did the first time—unceremoniously 4 Years Ago
- Alleged gunman tried to rob YouTuber Adam22 during livestream Today 11:32 AM
- Turkish president used New Zealand shooting footage at campaign rallies Today 11:09 AM
- 8 adorable tea infusers that will warm you with cuteness Today 10:26 AM
- The Super Nintendo Pro is the wireless controller of your dreams Today 10:25 AM
- Lori Loughlin reportedly dropped from ‘Fuller House’ final season Today 10:10 AM
- The Legend of Zelda Encyclopedia Deluxe Edition is a true treasure Today 10:00 AM
- Even Republicans are angry with the GOP’s anti-Beto tweet Today 10:00 AM
- ‘Egg Boy’ vows to send GoFundMe money to mosque shooting victims Today 9:55 AM
- Noom is a weight loss program that prioritizes your mental health Today 9:10 AM
- Shane Dawson once joked about ejaculating on his cat—and people are furious Today 8:54 AM
- Rep. Steve King posts Civil War fantasy meme—accidentally mocks own state Today 8:41 AM
- Gaming company Valve removed tributes to Christchurch shooter Today 8:39 AM
- The best new bands at SXSW 2019 Today 8:00 AM
- 10 literary journalism classics that should be on your reading list Today 7:00 AM
Ashley Madison CEO knew of potential security flaws, leaked emails reveal
Security flaws were evidently reported around the time of the hack.
On Friday, hackers going by the name Impact Team released more than 100,000 stolen private emails from the inbox of Noel Biderman, CEO of Avid Life Media (ALM), the Toronto, Canada-based company behind Ashley Madison and other dating websites.
An earlier data dump exposed as many as 33 million users of the adultery-themed site, making it one of the largest user data releases in history. The stolen databases included Ashley Madison usernames, street addresses, phone numbers, email addresses, partial credit card information, and more.
“I suspect it might be possible for a third-party website to determine whether a visitor has registered to use AshleyMadison.com, what their username is…”
The leaked Biderman emails show that on multiple occasions the CEO was contacted by security researchers who believed the Ashley Madison site could be hacked and its customers exposed.
In one email, an information security consultant who identified himself as Jayson Zabate from the Philippines contacted ALM about a security flaw in Ashley Madison.
“I recently browsed into your website [Ashley Madison], as with first instinct I tried to search for a flaw in your application,” wrote Zabate. “After a few attempts, I find security vulnerability on your website.”
Zabate inquired about a reward program for discovering bugs in ALM’s system. According to an email from ALM security chief Mark Steele, who was hired only a few months before the hack became public in July, the company had such a bounty program in place.
In a May 25 email, Biderman was contacted directly by another security researcher named Paul Mutton, who warned that hackers could potentially expose Ashley Madison user-registration data.
“I suspect it might be possible for a third-party website to determine whether a visitor has registered to use AshleyMadison.com, what their username is, and other details pertaining to their account. Interested?” wrote Mutton.
“Given our open registration policy and recent high-profile exploits, every security consultant and their extended family will be trying to trump up business,” Steele told Biderman in a same day email.
Steele added: “Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing).”
More from the Daily Dot
- How to check who’s in the Ashley Madison leak without risking jail time
- I went undercover on Ashley Madison to find out why women cheat
XSS [cross-site scripting] and CSRF [cross-site request forgery] are security exploits used to inject malicious code into a website, potentially allowing hackers to harvest usernames and passwords, or even hijack user sessions, which could give hackers direct access to accounts without requiring a password. Such attacks are made possible due to mistakes within the code base and are most common in older Web applications.
In an email to Biderman the following day, Steele indicated that Mutton had yet to discover any flaws in ALM’s system, but he wanted permission to conduct penetration tests on the Ashley Madison website.
When Impact Team first revealed its hack of Ashley Madison, the hackers demanded that the site be taken offline due to allegedly dishonest business practices, including a $19 service that promised to completely delete paying users’ data from the company’s databases.
Failure to take Ashley Madison offline would trigger the release of user data and other company information, the hackers wrote—a promise they made good on last week.
While condemning Ashley Madison, the hackers apologized to Steele for breaking through the site’s security.
“Our one apology is to Mark Steele (Director of Security),” the hackers wrote in their manifesto. “You did everything you could, but nothing you could have done could have stopped this.”
“Our codebase has many … XSS/CRSF vulnerabilities which are relatively easy to find.”
Other emails revealed by Impact Team’s leak, uncovered by security reporter Brian Krebs on Tuesday, appear to show that ALM executives hacked a dating service run at the time by Nerve.com, an online culture news site, in 2012, to gain a competitive edge. And in 2013, emails discovered by the Daily Dot show, Biderman and other top ALM executives discussed paying off a former spokeswoman, who threatened to make public her allegations that a company vice president had sexually harassed her.
The spokeswoman, London-based sex expert Louise Van der Velde, demanded £10,000 ($15,686) to stay quiet, though it is unclear from the emails whether ALM paid her the money.
Velde refused to comment on the sexual assault allegations or the related emails. ALM has not returned our multiple requests for comment concerning the hacked emails.
As ALM coordinates with law enforcement agencies in the U.S. and Canada, many former users are preparing to mount legal cases against the company.
A class-action complaint was filed against ALM this week in the U.S. District Court for the Central District of California, alleging a breach of privacy and negligence. In St. Louis, a woman has filed a federal lawsuit claiming that she paid the company to delete her personal information, which was discovered in leak. And another U.S. class-action lawsuit is expected soon from the Dallas-based Schmidt Law Firm, which is accepting clients in all 50 states.
In addition, two Canadian law firms—Stutts, Strosberg LLP and Charney Lawyers—have filed a $573 million suit, which has reportedly drawn interest from over 1,000 Ashley Madison clients.
Jamie Woodruff contributed reporting to this article.
Illustration by Max Fleishman
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.