Ashley Madison cyber-breach: 5 years later, users are being targeted with ‘sextortion’ scams

Kate Fazzini reports: Scammers have found a new way to wring money out of unsuspecting victims of the 2015 breach of the Ashley Madison affair-dating website, by using their stolen credentials in an amped-up version of the common “sextortion” scam. Researchers at email security company Vade Secure found the new scam earlier this year, when they saw a small number of targeted emails with apparent information from Ashley Madison breach victims. The scam emails seemed to be well researched, with not just the users’ email addresses but information like when the victim signed up, their username, and their interests they entered on the site, said Adrien Gendre, chief product officer for Vade Secure. Read more on CNBC.

Infidelity dating site Ashley Madison still gets thousands of new users every day — here’s why

Lindsay Dodgson reports: If you sign up to Ashley Madison, you don’t have to think about what you’re doing as cheating, but “outsourcing your sex life.” “In 2018 we expect our life partners are going to be everything to us — they’ve got to be my best friend, they’ve got to be sexually compatible, they have to be great at coparenting,” Ruben Buell, Ashley Madison’s president and chief technology officer, told Business Insider. “We have to have the same vision of finances, we have to have the same hobbies, the same interests… There’s so much pressure on that one relationship, everything has to be right. “And sometimes, the vast majority of it is right, but maybe there’s something that’s not.” This is one of the reasons Ashley Madison currently sees 20,000 new sign ups a day, and over 40,000 affairs happen on the site every day. Even after the data leak back in 2015, people came back to Ashley Madison. Read more on Business Insider.

Ashley Madison takes your privacy very seriously…. until they don’t…

Thomas Fox-Brewster reports: Despite the catastrophic 2015 hack that hit the dating site for adulterous folk, people still use Ashley Madison to hook up with others looking for some extramarital action. For those who’ve stuck around, or joined after the breach, decent cybersecurity is a must. Except, according to security researchers, the site has left photos of a very private nature belonging to a large portion of customers exposed. The issues arose from the way in which Ashley Madison handled photos designed to be hidden from public view. Whilst users’ public pictures are viewable by anyone who’s signed up, private photos are secured by a “key.” But Ashley Madison automatically shares a user’s key with another person if the latter shares their key first. By doing that, even if a user declines to share their private key, and by extension their pics, it’s still possible to get them without authorization. Read more on Forbes. And no, that wasn’t Forbes’ headline for the story.

Ashley Madison parent corp in proposed $11.2 million data breach settlement

Jonathan Stempel reports: The owner of the Ashley Madison adultery website said on Friday it will pay $11.2 million to settle U.S. litigation brought on behalf of roughly 37 million users whose personal details were exposed in a July 2015 data breach. Ruby Corp, formerly known as Avid Life Media Inc, denied wrongdoing in agreeing to the preliminary class-action settlement, which requires approval by a federal judge in St. Louis. Read more on Reuters.  Ruby Corp issued the following press release: Ruby Corp. and Ruby Life Inc. (ruby), and a proposed class of plaintiffs, co-led by Dowd & Dowd, P.C., The Driscoll Firm, P.C., and Heninger Garrison Davis, LLC, have reached a proposed settlement agreement resolving the class action lawsuits that were filed beginning July 2015 following a data breach of ruby’s computer network and subsequent release of certain personal information of customers of Ashley Madison, an online dating website owned and operated by Ruby Life Inc. (formerly Avid Dating Life Inc.)  The lawsuits, alleging inadequate data security practices and misrepresentations regarding Ashley Madison, have been consolidated in a multi-district litigation pending in the United States District Court for the Eastern District of Missouri. If the proposed settlement agreement is approved by the Court, ruby will contribute a total of $11.2 million USD to a settlement fund, which will provide, among other things, payments to settlement class members who submit valid claims for alleged losses resulting from the data breach and alleged misrepresentations as described further in the proposed settlement agreement.  Since July 2015, ruby also has implemented numerous remedial measures to enhance the security of its customers’ data. While ruby denies any wrongdoing, the parties have agreed to the proposed settlement in order to avoid the uncertainty, expense, and inconvenience associated with continued litigation, and believe that the proposed settlement agreement is in the best interest of ruby and its customers.  In 2015, hackers gained access to ruby’s computer networks and published certain personal information contained in Ashley Madison accounts.  Account credentials were not verified for accuracy during this timeframe and accounts may have been created using other individuals’ information.  Therefore, ruby wishes to clarify that merely because a person’s name or other information appears to have been released in the data breach does not mean that person actually was a member of Ashley Madison. The plaintiffs’ consolidated class action complaint alleges that the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure and that the data breach resulted in the public release of certain personal information contained in AshleyMadison.com accounts and included account information of some users who had paid a fee to delete their information from the AshleyMadison.com website. Further information regarding the settlement and the claims process will be made available if and when the settlement agreement is approved by the Court. SOURCE ruby Life Inc.

Ashley Madison blackmailers threaten to create Cheater’s Gallery exposing members who don’t pay up

Graham Cluley reports: Blackmailers are once again trying to make money out of the notorious Ashley Madison hack, which exposed the details of registered members of the cheating website in 2015. Robin Harris writes on ZDNet that he has received a blackmail threat, alerting him that unless he pays up $500 worth of Bitcoin his personal details will be shared on a new website being created by the extortionists. The site, which the blackmailers claim will be launched on May 1 2017, is said to be called “Cheater’s Gallery”: “On May 1 2017 we are launching our new site — Cheaters Gallery – exposing those who cheat and destroy families. We will launch the site with a big email to all the friends and family of cheaters taken from Facebook, LinkedIn and other social sites. This will include you if do not pay to opting out.” Read more on HotForSecurity.

Ashley Madison Data Breach Claims Should Be Arbitrated, Company Says

Amanda Bronstad reports: AshleyMadison.com’s parent company is hoping to knock out more than 20 class actions filed over its 2015 data breach by invoking online arbitration agreements the plaintiffs signed when they subscribed to its matchmaking services. The move to arbitrate comes after Avid Life Media Inc., which has been rebranded as Ruby Corp., agreed last month to pay $1.6 million to settle claims by the Federal Trade Commission and several state attorneys general over the breach, which compromised financial and personal information of nearly 37 million subscribers. Read more on Law.com.

Ashley Madison investigation by Canada and Australia results in compliance agreement

Ashley Madison marketed itself as a “100% discreet service” for people seeking to have affairs — and bolstered that claim with a fabricated security trustmark — but the company behind the website had inadequate security safeguards and policies, an investigation following a massive data breach has concluded. “Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” says Privacy Commissioner of Canada Daniel Therrien. “Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable. This is an important lesson all organizations can draw from the investigation.” The investigation following the breach of Toronto-based Avid Life Media Inc.’s computer network was conducted jointly by the Office of the Privacy Commissioner of Canada and the Office of the Australian Information Commissioner and identified numerous violations of the privacy laws of both countries. Chief among the concerns identified was the lack of a comprehensive privacy and security framework — even though Avid Life Media (ALM — recently rebranded as Ruby Corp.) was clearly aware of the importance of discretion and security. The company went so far as to place a phoney trustmark icon on its home page to reassure users. The breach of ALM’s data management system came to light in July 2015. After the breach, files taken from the ALM corporate network and Ashley Madison database — including details from approximately 36 million user accounts — were published online. The investigation, which examined ALM’s compliance with both the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law and Australia’s Privacy Act, focused on four key issues: Information security; retention and deletion of user accounts; accuracy of email addresses and transparency with users. The investigation found that certain information security safeguards were insufficient or absent and, although ALM did have some personal information security protections in place, the company fell short when it came to implementing those security measures. For example: There were inadequate authentication processes for employees accessing the company’s system remotely. ALM’s network protections included encryption on all web communications between the company and its users, however, encryption keys were stored as plain, clearly identifiable text on ALM systems. That left information encrypted using those keys at risk of unauthorized disclosure. ALM had poor key and password management practices. For example, the company’s ‘shared secret’ for its remote access server was available on the ALM Google drive — meaning anyone with access to any ALM employee’s drive on any computer, anywhere, could have potentially discovered it. Instances of storage of passwords as plain, clearly identifiable text in emails and text files were also found on the company’s systems. “Security measures should be documented in writing and include technological, physical and organizational safeguards,” says Commissioner Therrien. “Businesses must also assess risks, align their policies to mitigate those risks and train employees to ensure that policies are actually implemented and followed.” With respect to the retention and deletion of customer information, the investigation found the company was inappropriately retaining some personal information after profiles had been deactivated or deleted by users. The investigation also found the company failed to adequately ensure the accuracy of customer email addresses it held — an issue that resulted in the email addresses of people who had never actually signed up for Ashley Madison being included in the databases published online following the breach. This issue raised particular concerns given that, for both users and non-users, any association with a site such as Ashley Madison could cause serious reputational harm. Finally, with respect to transparency, investigators found that at the time of the breach, the home page of the Ashley Madison website included various trustmarks suggesting a high level of security, including a medal icon labelled “trusted security award.” ALM officials later admitted the trustmark was their own fabrication and removed it. “The company’s use of a fictitious security trustmark meant individuals’ consent was improperly obtained,” Commissioner Therrien says. Both the Canadian and Australian Commissioners issued a number of recommendations aimed at bringing the company into compliance with privacy laws in a timely fashion. The company cooperated with the investigation and agreed to demonstrate its commitment to addressing privacy concerns by entering into a compliance agreement with the Canadian Commissioner and enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court. SOURCE: Office of the Privacy Commissioner of Canada Related Documents: PIPEDA Report: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner Ashley Madison Investigation – Takeaways for all Organizations Compliance Agreement Between: The Privacy Commissioner of Canada and Avid Life Media Inc. (Ruby Corp.)

“Life is Short. Get Investigated?” Ashley Madison facing FTC probe

I can’t say I’m surprised, but it’s nice to get some confirmation. Alastair Sharp and Allison Martell of Reuters report that the Federal Trade Commission is investigating Avid Life, parent company of Ashley Madison. But what is the scope of their investigation. Executives admitted to Reuters that the use of “fembots” is part of the investigation, which makes sense under the FTC’s authority to address deceptive practices. But is FTC also investigating their data security in light of their massive breach? I would hope so. Avid Life executives told Reuters they still don’t know how the breach occurred. I expect that this investigation will result in a consent order with a whopping monetary component to reimburse consumers who were duped by fembots, but we’ll see in time. Read the Reuters report .

Utah pulls warrants on Southern Utah websites linked to Ashley Madison hack

Tracie Sullivan reports: Utah authorities are investigating a website allegedly created by a Cedar City resident who published personal information of Southern Utah residents whose names were part of a 2015 website hack. According to four search warrants unsealed last week in 3rd District Court, a Facebook page and a website called AM Southern Utah “disclosed customers’ names, physical and email addresses for the Southern Utah area,” who had allegedly registered with Ashley Madison. The warrants stem from a Utah investigation conducted by the State Bureau of Investigations and is part of a larger FBI investigation into the hack. No one has been charged with a crime in either investigation. Read more on St. George News.