How Hacks Happen
Hacks, scams, cyber crimes, and other shenanigans explored and explained. Presented by cyber security teacher and digital forensics specialist Michele Bousquet.
How Hacks Happen
Ashley Madison Breach | Replay
With Netflix shining attention on the victims of the 2015 Ashley Madison breach, we're running a replay of our own coverage from 2021 that gets into the dark underbelly that Netflix skipped: lies Ashley Madison told about their services (and their CEO's fidelity), and blackmail attempts from enterprising hacker types. We also put forth evidence that the hacker, who was never caught, is most likely Canadian and a woman.
Resources
- Impact Team Pastebin notice, July 20, 2015: https://pastebin.com/ZGXmk8R9
- Krebs on Security report on breach: https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
- Suicides attributed to Ashley Madison breach:
- https://money.cnn.com/2015/09/08/technology/ashley-madison-suicide/
- https://www.bbc.com/news/technology-34044506
- https://toronto.citynews.ca/2013/11/10/woman-hurt-typing-fake-profiles-for-dating-site-20m-suit-alleges/
- https://krebsonsecurity.com/2015/08/ashleymadison-500k-bounty-for-hackers/
- https://krebsonsecurity.com/2015/08/who-hacked-ashley-madison/
- https://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/
- https://grahamcluley.com/ashley-madisons-leaked-database-available-download-read-this/
- https://grahamcluley.com/ashley-madison-fake/
- https://www.businessinsider.in/tech/the-strange-rise-and-sudden-fall-of-noel-biderman-the-former-ceo-of-ashley-madison/slidelist/48716152.cms
- https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.
Listen on: Apple Podcasts Spotify
Digital Disruption with Geoff NielsonDiscover how technology is reshaping our lives and livelihoods.
Listen on: Apple Podcasts Spotify
Join our Patreon to listen ad-free!
Welcome to How Hacks Happen. I'm Michele Bousquet, cybersecurity researcher and author. In this episode, we're going to revisit the Ashley Madison breach from 2015, which we covered in an episode in 2021.
In case you don't know, Ashley Madison is a website for married people who want to find someone to cheat with, and there was a breach in 2015 that compromised the privacy of over 30 million people.
Now Netflix has a new three-part series about this breach, but while the Netflix series focuses on the fallout for people who were affected by the breach, our episode focuses more on the breach itself, the technical aspects of it, and some of the other things that got revealed by the breach, like some of the company's shady practices. None of these are covered in the Netflix series.
It might be interesting to note that this is one of the episodes that we recorded back when I had Kerry Pakucko as my co-host. Back then, Kerry did the co-hosting as a favor to me, when I was just getting started, and I wanted someone to sit with me, someone I could talk about the breaches to. And she just did it because she's one of my very best friends, and that's what friends do for each other. After a while I told her that she didn't have to do this anymore, and she said "Okay, bye."
Anyway, we had a great time making this episode, and is has some really good information that could come in handy as you navigate this crazy cyberworld we live in. So buckle up, and let's take a ride.
-----------------------------------------
ORIGINAL EPISODE
Michele: Welcome to How Hacks Happen, where we explain in plain English exactly what goes down in some of the world's most epic hacks. Hello, Kerry.
Kerry: Hey there.
Michele: I have a very exciting topic for this episode. It's the hack of the Ashley Madison website.
Kerry: Oh, that was that website for people who wanted to have affair.
Michele: Would you like to say that?
Kerry: Ooh, that was the website for people who wanted to have an affair, right?
Michele: Mm-hmm. In fact, their tagline was, "Life is short. Have an affair"
Kerry: Juicy.
Michele: Yeah. And also, this wasn't your average breach, your average hack. The hackers weren't after money or power or even bragging rights. The hackers wanted to shut the site down. And they caused all kinds of tragic mischief, including, possibly at least one suicide.
Kerry: That is tragic.
Michele: Yes, it is. And I don't think that's what the founders meant when they said life is short.
Kerry: Ouch.
Michele: Too soon? 2015, maybe too soon. We take a lot of requests from our listeners, and this was one of them, an in depth look at the Ashley Madison breach.
Kerry: Why would someone request that?
Michele: Well, I can think of a few reasons. One is that it has to do with S-E-X.
Kerry: All right, dude, you can say sex out loud. You know, it's not like there are any minors floating around.
Michele: It's true, but people are so easily offended these days.
Kerry: Hey, you know, they're listening to a podcast about the breach of a site for people who want to cheat. They saw the title. They clicked anyway.
Michele: You have a point. In 2002, Canadian entrepreneur Darren J. Morgenstern started up the Ashley Madison website. He cobbled the name together from two popular girls baby names. The name Ashley picked as the number one girl's name in 1991 in the USA. As for Madison, fans of the movie Splash from 1984 will recall that when Daryl Hannah and Tom Hanks are walking along in New York City, he asks her to pick a name for him to call her because, you know, she's a mermaid and doesn't have-
Kerry: I think her name was like...
Michele: Yeah. Some screaming lobster name. Yeah. He asked her to pick a name, and he's like naming off all these common girls' names and says, "Oh, look, Madison" Like they're on Madison Avenue. And she's like, that's the name I want. So people started calling their kids Madison right after that. And 17 years later, the name went to number two in 2001, and that was its peak.
Kerry: So the name Ashley Madison was just a fusion of different girls names.
Michele: Yeah, he wanted to make it sound like an advertising agency, apparently. The tagline for the site was "Life is short, have an affair" The idea was for men and women who wanted little discreet meetups to meet each other and find, you know, intimacy. The promise was secrecy and discretion, a simple business model, but it worked. It wasn't long before they had millions of registered users, over 30 million by 2015 so they claimed. But it wasn't always so rosy for the site. In the first few years of its life, the site had trouble gaining acceptance in the mainstream. For example, in 2009, the site attempted to have the ads put on the Toronto subway, but they were turned down.
Kerry: Well, this was Canada.
Michele: Very proper. They were also turned down by the Super Bowl, though, Super Bowl 43, that same year. They eventually got some airtime for some of their ads, which I can only describe as both silly and brazen.
00:04:19:02 Ashley Madison Commercial:
(One Man Singing) I'm looking for someone other than my wife, other than my wife. Ashley Madison's right. (Two men singing) I'm looking for someone other than my wife, other than my wife. Ashley Madison's right. (Group of men singing) I'm looking for someone other than my wife, other than my wife. Ashley Madison's right.
Kerry: Oh my God, that's hilarious, and pretty ballsy.
Michele: Yeah. Ashley Madison never tried to hide what they're about. They run billboard ads using photos of Bill Clinton and Prince Charles with the line like "What do these men have in common?"
Kerry: Notorious cheaters.
Michele: Yeah. They even hired a female sex therapist to go on talk shows and talk about the benefits of adultery, like that it's supposed to save marriages or something. And the CEO, Noel Biderman, wrote a couple of books on the benefits of adultery.
Kerry: Yeah boy.
Michele: The website's parent company, Avid Life Media, they actually run a whole bunch of sites for different demographics. There's Established Men, for example, which is a site that hooks up sugar daddies with sugar babies.
Kerry: There's an app for that?
Michele: There is, more than one. And there's also Cougar Life, which well, you can imagine what that’s for, you know.
Kerry: Don't even go there. No, we should not join that site.
Michele: Yeah, I suppose if I want a young guy to sleep with-
Kerry: We can just go down to Bourbon Street on any given day.
Michele: Yeah, really. Yeah. Now, to promote these sites, Biderman regularly went on talk shows with his wife. Judging from the numbers, that worked out pretty well for them.
Kerry: They want to talk shows to talk about cheating on each other.
Michele: Actually, no, they both claimed they have or had a monogamous marriage.
Kerry: Huh? Was it actually true? I mean, isn't it a little weird for people who don't cheat to start a cheaters' website?
Michele: Yeah, it is. And like if you decide to start an avocado farm-
Kerry: You would like to eat avocados.
Michele: Right?
Kerry: Let me guess, it wasn't true, and the CEO husband was cheating.
Michele: Kerry, you are psychic. But he didn't get caught until after the breach. So we're getting ahead of ourselves here. Before the breach, there were already some troubling things going on at Ashley Madison. For example, there were reports that the vast majority of women on the Ashley Madison site were fake bot accounts.
Kerry: No. Someone faked something on the interweb? No.
Michele: Shocking, but true. And you know, when I say the vast majority of the female accounts, I mean, like millions.
Kerry: Okay, so what do you mean by a fake bot account really?
Michele: A fake account has no real person behind it. It's an algorithm that talks to people. It says Hi, and it says things that seem real in chat but aren't high.
Kerry: So kind of like an Alexa.
Michele: Right, very much like that. Alexa is obviously not a real person, but she could be made to sound like one a lot of the time under limited circumstances because of the way she's programmed. The bots would make use of fake female profiles that Ashley Madison made, just made up information and photos they got from God knows where. Then the bot would do some activity like maybe respond to messages or post pictures from the fake account.
Kerry: So who made the fake accounts?
Michele: Apparently, Avid Life Media did. In fact, in 2013, an Avid Life Media employee filed suit against her employer, saying that she suffered physical injury from the repetitive motions of making a bunch of fake female accounts, like a thousand of them.
Kerry: Okay, like, if you're taking a job as a computer programmer to program things, you think there's going to be a lot of repetitive motion? Hello, I'm sorry. I just- that just-
Michele: You know, it's my suspicion that she brought this suit to call attention to the fact that there were fake accounts.
Kerry: Okay, that makes more sense.
Michele: You know, they ended up settling on a court and she didn't really need to file suit here. I think she just wanted to make a little bit of a stink about the fake accounts.
Kerry: That makes sense.
Michele: Yeah.
Kerry: So what would happen when some dude would try to hit on a fake bot account?
Michele: I don't know. That's a great question, and not one I was able to answer through my extensive research.
Kerry: You signed up, didn't you?
Michele: Yeah, a couple months ago, in the name of research and science and stuff.
Kerry: And you keep telling yourself that but you have to show me.
Michele: Okay, all right. Take a look
Kerry: You're on the Cougar website, aren't you?
Michele: No.
Kerry: [inaudible] you're going to pick a one, you got to pick a one.
Michele: I just thought, yeah, I'll try Ashley Madison. So here, let's take a look. Here's my profile.
Kerry: Okay.
Michele: All I did was put up this photo. And this was a professional headshot I had taken for work. No cheesecake, you know, no cleavage even, it's kind of boring. It's just my head. And plus, it's a little blurry. You can't ever really see what I look like.
Kerry: Okay, and with this blurry photo, you got?
Michele: Oh, take a look at all these responses I got.
Kerry: Holy Manoli!
Michele: Dozens and dozens from all over the country. And some are kind of nice, like, there are photos of like this guy, look, he's playing his guitar. And this guy is like, I think he was building a birdhouse or something. And, but some of them are...
Kerry: Oh my God! Dick pics.
Michele: Lots and lots of dick pics.
Kerry: So eight kinds of wrong.
Michele: Sorry. In case you woke up this morning, Kerry, and you're like, I have not seen enough dick pics lately.
Kerry: Said no woman ever, ever. God!
Michele: Okay, the dick pics aside, like, look at this guy, I actually kind of like this guy from Seattle. Look at this. He's playing with his dog. Oh, puppy.
Kerry: How do you know he's not a bot?
Michele: That's a good question. Maybe he is a bot.
Kerry: Do they only have girl bots or do they have boy bots?
Michele: Nobody's ever seen anything about boy bots, because I have-
Kerry: Okay, I guess because men are the more-
Michele: They have enough real men.
Kerry: Okay, got it.
Michele: The idea of having fake women profiles is so that it's less man heavy, there's a little more of a match.
Kerry: Okay. Got it.
Michele: You know, the numbers. We'll find out a little bit more about that later. But, you know, I think I kind of like this guy, maybe I'll respond to him.
Kerry: So alright, but Seattle, that's like what? 2,000 miles away? And aren't you a cat person?
Michele: You know, love should find a way, Kerry.
Kerry: That's [inaudible] I don't know if he agrees with that.
Michele: So now that we've reviewed what Ashley Madison is all about, let's talk about the breach.
Kerry: The breach.
Michele: The breach. Now, to understand the breach, we must get into the wayback machine and go all the way back to the year 2015, July 2015 to be exact. Here we go.
Kerry: All right. Wayback machine.
Michele: So on July 12, 2015, employees at Avid Life Media, which as you recall, is the parent company for Ashley Madison, they get into the office and log into their computers to find a message from somebody calling themselves The Impact Team. The message claims that The Impact Team has stolen a whole bunch of data, and they are going to release it to the public unless the Ashley Madison and Established Men web sites are shut down within 30 days. Now, this breach was different from other breaches in a number of significant ways.
Kerry: Do tell.
Michele: For one thing, it wasn't like say the Equifax breach in that the hackers weren't trying to keep it secret. They weren't trying to steal stuff and stay quiet about it. The Ashley Madison hackers were loud and vocal about the fact that they stole the data. In fact, after Avid Life Media didn't announce the breach in the media, The Impact Team-
Kerry: Dun-dun-dun
Michele: Every time I say Impact Team, it's going to be like Frau Blucher.
Kerry: Exactly.
Michele: Young Frankenstein. Yeah. Okay. So, after Avid Life Media didn't announce the breach in the media, The Impact Team started contacting journalists to tell them about it.
Kerry: Based on the other hacks we've talked about, this is different.
Michele: Yeah, another way that it was different was that they weren't stealing the information for their own monetary gain to sell it or gain some advantage like for identity theft or espionage. They were using it to threaten Ashley Madison directly.
Kerry: So the hackers were objecting to the fact that the site is used for cheating? They hacked it on moral grounds?
Michele: Well, The Impact Team, while the hackers, they didn't seem to have a very good opinion of the two websites and what they were for, but they claimed their real beef was actually fraud. They claimed that Ashley Madison was collecting fees for a service and never delivering it. Ashley Madison had been offering this service where they would delete your data off the site forever for $19. Now, aside from the fact that a site should not charge you to delete your data-
Kerry: Seriously.
Michele: -the hackers claimed that after Ashley Madison collected your $19, they didn't actually delete your data.
Kerry: What? They took people's money and didn't delete their stuff.
Michele: Mm-Hmm.
Kerry: That ain't hardly right.
Michele: That's not right. And Ashley Madison allegedly collected $1.7 million in these fees for this service that they did not deliver.
Kerry: That's a lot of Do Re Mi.
Michele: Mm-hmm. Basically, the hackers were accusing Ashley Madison of a longtime fraud, not an actual mistake, or an error or an oversight, but an actual effort to mislead people for money. And they were going to release the hacked data to prove it. And this added a legitimate accusation to any moral objections that the hackers might have had. I mean, not everybody objects to cheating, but I bet you couldn't find a single person in the world who think it's okay for a website to take money for a service and then not deliver it.
Kerry: Roger that.
Michele: But The Impact Team, they had to throw a few digs in there to, like, when they made their initial announcement, they referred to the Established Men website as, "A prostitution/human trafficking website for rich men to pay for sex"
Kerry: Is that what it is?
Michele: Well, it's not supposed to be according to Avid Life Media, but really that would depend on how users use it. The site is advertised as a place for well off men to meet young women, but who knows what people are actually using it for? All you know is if I were a high end escort, you know, I would definitely consider signing up for Established Men and you know, maybe get myself a regular sugar daddy. Why not?
Kerry: Looking for a career change, are you?
Michele: Maybe. Okay, moving right along. So The Impact Team has this message on all the Ashley Madison computers on July 12th, 2015. One interesting point is that Ashley Madison did not come out and say it happened. Nothing about the hack was made public until Krebs On Security reported on it on July 19, a full week later.
Kerry: Who is Krebs on what?
Michele: Krebs On Security. It's a well respected website in the cybersecurity community. It's run by Brian Krebs, who was a cybersecurity reporter for The Washington Post for many years. The Impact Team, they messaged him about the hack and he reported it on his website. Now, Avid Life Media, I'm just going to call them ALM from now on for simplicity.
Kerry: ALM, Avid Life Media. Got it.
Michele: Okay. So ALM, they didn't put out a statement at first. After the hackers contacted Krebs, he asked ALM and they were like, "Oh, yeah, there was a message" And then ALM put out a statement that said, and I quote, "We were recently made aware of an attempt by an unauthorized party to gain access to our systems" An attempt, not an actual breach. ALM is, you know, they're pretty cagey about all this. But to be fair, they haven't seen any evidence that anything was stolen, just a message from the hacker saying that they stole it. ALM says they've hired a cybersecurity company to look into it, and that's about it. And then a week later, on July 19, 2015, The Impact Team, they published the same warning message on paste bin.
Kerry: What? Paste who? Paste what?
Michele: Paste bin, this is a place where people can post stuff, paste stuff, programming code, or messages or whatever. It's kind of like Facebook or Instagram for programmers, but it's more anonymous. And its purpose is for programmers to share code that they've written, but it can be used for any kind of public content. And paste bin and other sites like it are hosted on what's called the Deep Web, not the Dark Web, but the Deep Web.
Kerry: It sounds ominous.
Michele: No, it's not too much. It just means that anyone can get there on a regular browser, like Chrome or Firefox or Safari or whatever, but Google and other search engines don't index it. So if you do a search on the content, you won't find it. The only way to find it is with a direct link that someone gives you, that they email you or text you. Kind of like, you know, like an unlisted video on YouTube, for example, anyone with the link can access it, but you can't search for it on the YouTube page or anywhere else. So the links to the paste bin messages are posted on our Patreon page by the way, if you want to take a look at them, the link is in our show notes.
Kerry: Now, why would The Impact Team use paste bin to announce the breach?
Michele: My guess is that they were annoyed by ALM not really seeming to take the breach seriously. So they wanted to make sure it went public, but without revealing their identity. This is also where The Impact Team-
Kerry: Dun-dun-dun. I had to break it up a little bit.
Michele: This is also where the hackers give their first deadline, a 30 day deadline for ALM to shut down the sites before all their user information and emails are leaked.
Kerry: So why 30 days? Why not right away?
Michele: I don't know for sure, but I suppose it was to be somewhat realistic or even, you know, fair. These are fair hackers. Ashley Madison sells certain services by the month, so it would be wrong to shut it down right away. And some users only get half a month when they just paid.
Kerry: That does sound very nice of the hackers. Well done, hackers. Very nice of you.
Michele: They're very polite.
Kerry: Very polite.
Michele: Yeah, and that's just another way the hackers were different. Like, they could have launched all kinds of different attacks on these sites that would cause them to crash right away and impact them in much bigger ways. Like, they could have hammered the site with web traffic so they couldn't handle normal traffic. And that's a classic one, it's called a denial of service attack. And this would mess with the site and cause it to be out of commission for a while. But instead they say, "Oh, hey, 30 days, like, we'll just wait over here while you wrap things up. And then in 30 days, we'll release everything. But, you know, you have 30 days to shut it down" It's almost like they wanted everyone at ALM to have time to find another job or something. Like they're just so polite, which is a little tiny factoid that will come in handy when cyber experts try and figure out who did it. But now, we are up to July 19, one week after the first message appeared at ALM, who still hasn't admitted that they've been breached. It's all the attempted breach and the alleged breach and whatever. And then, a couple of days later, The Impact Team, they released the names and information of two Ashley Madison users, count them, two.
Kerry: Oh, both of them.
Michele: Mm-hmm. Seemingly to prove that they have this big treasure trove of data. They say we got two but we got more.
Kerry: Just two.
Michele: Yep. Two people from Canada.
Kerry: Why Canada?
Michele: I don't know. Maybe because it would be easier to verify because ALM is based in Toronto, or maybe because they're Canadian. I don't know.
Kerry: Okay, well, that would make sense, but is that why the hackers are so polite? Because they're Canadian?
Michele: Oh, Kerry, you should be a cyber detective. Personally, I think that's part of the reason, but that's just conjecture. So now we are a couple of weeks into the breach, Avid Life Media is still not admitting they were hacked.
Kerry: They're just ignoring the reports.
Michele: Yeah, they're sticking to this "attempted hack" story. Then, on August 18, a little over a month after the original message to ALM employees, there's another message in paste bin called time's up. The 30 day window is over. August 18 is the day Impact Team makes the first major Ashley Madison user data dump, a 10 gigabyte file with the information of 32 million users.
Kerry: Holy crap.
Michele: Things like user email addresses and transaction information. And the hackers dumped all this data on the dark web.
Kerry: They dumped it on the dark web. What does that mean? Do you mean the deep web?
Michele: No, the Deep Web is what we were just talking about. But the deep web and the dark web aren't the same. Think of it like, you know, alright, we'll use the analogies here. If you're diving into water in the ocean, if you're on the surface, you're on the surface web, which is web that most of us use to surf around and look for stuff.
Kerry: I'm afraid of deep water.
Michele: Okay, well, that's why we stay on the surface web, Kerry.
Kerry: Okay.
Michele: Where it's safe. Yes. Then we have the deep web, which is a level deeper, and it's not so brightly lit, it's where you have things that aren't indexed by search engines, the kind of stuff we were just talking about. You can still get to it with a normal browser if you have the link, and that's where the paste bin messages are. Then there's the dark web.
Kerry: I'm scared.
Michele: Oh, yeah. Okay, I hold your hand.
Kerry: Okay.
Michele: All right. Now, the dark web, as you dive down now at this point, below the point where you have light, and to access the dark web, you have to use a browser called Tor, you can't just use, you know, Chrome or Safari or something. And there are all these methods you can use to stay anonymous. This means that not only are you anonymous, but so is everyone else that you encounter on the dark web. So it can be kind of a rough place.
Kerry: So have you ever been to the dark web?
Michele: Maybe. Well, all I can tell you is that it's kind of like the bad neighborhood in your town where even the cops never go. That's where you go if you wanted to buy drugs or, you know, hire a hitman or maybe to go to your extremist neo Nazi meeting, or where you can buy pirated movies, or you can get kiddie porn like-
Kerry: Yuck.
Michele: Yeah, basically anything illegal from, you know, the slightly illegal to the extremely illegal. Now, there is some perfectly legal stuff that goes on down in the dark web. In fact, the Tor browser was originally developed in the late 1990s by the United States Naval Research Laboratory. They did it for secret communications over the internet, which they recognized as being inherently open and not private. For example, something you might use the deep web for that's not illegal, is you want to hide your company's secret somewhere, the recipe for your secret sauce, you know, that the dark web would be a great place to do that.
Kerry: Okay.
Michele: But in general, most people have no reason to go to the dark web and lots of reasons not to go.
Kerry: I can understand that completely.
Michele: Yes. You know, in a bad neighborhood, you have a good chance of being physically harmed or robbed or, you know, any number of other unpleasant things can happen to you there. Right? So the digital equivalent in the dark web is that you might get some kind of horrible malware that will infect your entire system and give hackers access to your network. Or you might try and buy something and you get ripped off. And the police might be secretly monitoring whatever deep website where you just bought all that cocaine that you wanted to be mailed to your house, and that's how they catch you.
Kerry: Buying drugs to be sent to you through the mail. Are you kidding me?
Michele: I'm not kidding. That's exactly what the Silk Road website was doing a few years back on the dark web. They provided a sort of eBay type marketplace for whatever and what ended up being sold on there was drugs and weapons. And they even had instructions on how to package the drugs so it wouldn't get flagged as drugs in the US postal system.
Kerry: Wow.
Michele: Yeah. And the guy who started Silk Road, Ross Ulbricht, he's now in prison for life, but that is a story for another time.
Kerry: I want to hear that story.
Michele: On top of all that danger, you have no recourse if things go wrong. The vast majority of the transactions on the dark web use cryptocurrency which is untraceable. So if you buy something, and you'd pay for it, and they never send it to you, how can you file a complaint? Because it's all anonymous, you can't even find out who to complain against.
Kerry: So if it's so dangerous, why would anyone go there?
Michele: Well, besides all the reasons I just said, like buying drugs-
Kerry: Again, go to Bourbon Street on any given day.
Michele: Well, another reason is to get stolen data like credit card information. And, you know, if you're very careful, and you know how to navigate the dangerous, the dark web can hold all kinds of riches. So the hackers dumped the Ashley Madison data on the dark web on August 18, about a month after the original message saying ALM has to close down the site or else. And the hackers sent the link to some news outlets like Krebs and other ones, and they invited them to just go get it. And there was this feeding frenzy to get to the data. And I guess they all have their safe methods of getting stuff off the dark web. Also, The Impact Team, they did not charge money for it. They just dumped it on the dark web and told people to just go get it. So one of the most interesting things about the data dump is that some of the email addresses are from military or government email addresses. And I didn't know this until I started researching this episode, but in the military, adultery is actually punishable by dishonorable discharge, or even time in the brig.
Kerry: I actually knew that.
Michele: You did?
Kerry: I did.
Michele: How did you know that?
Kerry: I cannot answer how I knew that. I swear to God, I don't know. But it's like a big old no-no. And in the typical double standard world, the male Army, Navy, Air Force, Marine people who do this, get a slap on the wrist where the women get dishonorably discharged. Shock.
Michele: Oh my God.
Kerry: Oh, the horrors.
Michele: Well, we could have a long discussion about that but we're not going to at this moment, but we can and maybe we should someday. So yeah, these are all some pretty serious consequences. And the military, they did their own investigation on the email addresses that were released in the Ashley Madison breach, and we don't know the outcome of that.
Kerry: Imagine my surprise.
Michele: Yeah, they're not telling anybody anything. Now, all this data is out there now, the hackers have said, here it is come get it. They've sent links to news outlets. Can you guess what Avid Life Media's response to all of this was?
Kerry: I'm guessing it's still an alleged breach.
Michele: Yes. I swear, you have a knack for this, Kerry. ALM's response is that there is "No indication that the files are legitimate"
Kerry: Did they even look at the files?
Michele: I suspect at this point ALM is kind of like, li-la-la-la with their fingers in their ears.
Kerry: Yeah, like if you never go outside or look out the window, you can safely say that there's no indication that the sun exists know.
Michele: Precisely. But KrebsOnSecurity, the new site that has been reporting on this from day one, they get in the game, and they see if they can verify any of the users in the data dump. And they find a few people who say they are Ashley Madison users who looked at the data dump and verified that their data is in there.
Kerry: Just a few people?
Michele: Well, they didn't go on a big search, you know, they just- they weren't trying to prove that all the data was legit, just that some of it was legit, that the dump itself was actually legitimately an Ashley Madison data dump. The fact that there were a handful of people that verified their data was there, that at least rules out the idea that the data dump is a complete fake.
Kerry: All right.
Michele: Now we're on August 18, recall that the message about the breach appeared on ALM's computers on July 12, the message that gave ALM 30 days.
Kerry: All right, so July 12 to August 18. That is more than 30 days.
Michele: The polite Canadians again, they gave them a month. And then they're like, okay, you have a couple more days. So with regard to the leaked data, I do want to point out that there's a possibility that some of these email signups were false. If you wanted to mess with somebody, you could just sign them up for Ashley Madison using your email address without their consent.
Kerry: Didn't they do that email verification thing where they send you a link and you have to click on it to verify that it's your email?
Michele: Nope, they didn't. So you could put any email to sign up. I could have put your email in, for example.
Kerry: Under cougars.
Michele: Yes, Cougar Life.
Kerry: Okay, so this breach had some legitimate emails, but maybe not all of them were legit.
Michele: Right. Most likely, a fair number of them are fake. Like, one of them was a government email address for Tony Blair, a former Prime Minister of the UK.
Kerry: Yeah.
Michele: You know, call me skeptical, but I don't think he would be stupid enough to use his government email address to sign up for a cheating site. So with those few that were verified as well, we could assume that some of them were real, but we have no way of knowing which ones or how many.
Kerry: Got it.
Michele: Okay, so let's get up to date here. We were talking about August 18, 2015, when there was a data dump that was around 10 gigabytes in size. According to Wired Magazine, the dump includes names, addresses, phone numbers and emails of members on the Ashley Madison site. But a lot of these are obvious fakes. Like if somebody puts in 123 Main Street in some town as their address-
Kerry: And their name is like Scrooge McDuck.
Michele: Yeah, and their phone number is 1234567. Oh, and a lot of female profiles, by the way, have email addresses that end in @ashleymadison.com.
Kerry: Oh, like that's not a dead giveaway for a bot.
Michele: Bots.
Kerry: Bots, bots, drink. All you in cyber land, drink when you hear the word bots.
Michele: That's right. That's the drinking game for this episode. Whenever we say bots, you take a drink. But the data dump also includes transaction information such as credit card transactions. Now, in order for a credit card transaction to go through, you have to give real information, right? Like a real credit card number, your real address, your real zip code. So this transaction information is the real treasure trove here. It means real people paying real money. And there are millions of them in this data dump. And ALM is still like la-la-la Lilla with their fingers in their ears.
Kerry: Okay.
Michele: And a few days later, we start to see our first extortionist-
Kerry: But of course, darling.
Michele: It's just so exciting. These are enterprising people. These are people who take their future into their own hands. They're entrepreneurs. And they are looking to make a few quick bucks off the breach.
Kerry: So did these people, the extortionists find this information on the deep and dark webs?
Michele: Mm-hmm.
Kerry: Aha, so they make money off the breach?
Michele: Yeah.
Kerry: Okay.
Michele: Pretty simple. You know, some guy, some wannabe hacker grabs the Ashley Madison dump, and it has email addresses, right? So they just spam all the email addresses. They send everyone an email, and they're like, "Hey, we have proof that you cheated. And if you don't send us money, we're going to tell your wife or husband"
Kerry: But how would they know how to contact the person's wife or husband?
Michele: They don't, but the person on the other end of the email doesn't know that.
Kerry: Classic blackmail. But isn't that risky? Couldn't someone report them to police and then they get caught?
Michele: Well, not really. Because the place they would send the money, the police- you think the police would trace the address or the bank account that they send it to?
Kerry: Sure.
Michele: Yeah, well, no, because the blackmail email tells them to send cryptocurrency like Bitcoin, which is untraceable.
Kerry: Bitcoin, you are going to have to explain that to me sometime. How can it be untraceable?
Michele: Well, we will actually be talking about that in the next episode.
Kerry: Okay. So how much were they asking for?
Michele: Some asked for around $250 in Bitcoin and there were other ones actually sent through the regular postal mail that demanded as much as $2,000.
Kerry: Seriously, that's it? I would have thought they would ask for a lot more than that.
Michele: I guess they figured if they asked for such a small amount, they would get more money that way.
Kerry: So did it work? Did the blackmailers make any money?
Michele: Well, nobody really knows for sure, but pretty sure they collected a decent chunk of change. And you know, sending out spam is free.
Kerry: And if you send out a million of them, and if even 1% hits, you're on easy street for a minute.
Michele: Very good return on investment. You see entrepreneurship at its best right here.
Kerry: It should be called dirt bag entrepreneurship. But that's just my opinion.
Michele: I know. Back to the breach here. So a few days later, on August 22, there's another data dump a few days after the first one, and this one is all CEO, Noel Biderman's private emails. Recall that he said he and his wife were faithful to one another. Well, the email dumps revealed that Biderman was cheating on his wife.
Kerry: What? The avocado farmer is caught eating the avocados?
Michele: Oh yes, one could say.
Kerry: Oh.
Michele: And taking more than one bite.
Kerry: I am shocked and appalled.
Michele: Oh, really? Still, ALM still hasn't acknowledged the breach. But they offer a $500,000 reward for information leading to the people who are leaking the information.
Kerry: Yeah, there's no breach, but we're going to pay you for telling us who breached the breach.
Michele: Mm-hmm.
Kerry: That is Wackadoodle.
Michele: Yeah, I know. At one point, I was like, what planet are these people from? Like, they keep trying to spin this story hoping it'll go away. I don't know.
Kerry: Aren't there some kind of laws that companies have to follow about informing people of breaches that affect them? Like the users of your site?
Michele: There are now, but there weren't in 2015. Canada didn't get laws like this until 2018. So ALM could keep trying to spin and spin and spin it without really admitting that it happened.
Kerry: Wow. 2018. That was just a few years ago.
Michele: Now, to be fair, I did read an interview with one of the ALM security people. And apparently there were all kinds of copycat data dumps out there, where hackers were claiming it was Ashley Madison member data, but it wasn't.
Kerry: People do that? Hack a bunch of data and then claim it was from somewhere else?
Michele: Well, sure, I remember, these are hackers. You know, and this data was blackmailable. So say somebody got a hold of a data dump, like say it was from any of the breaches of the past few years, like say the one from Target. They can repackage the data a little and claim it was from Ashley Madison, and then they can sell it, like, get more money for it.
Kerry: Kind of like a knockoff of a designer purse.
Michele: Exactly.
Kerry: Data dump knockoffs.
Michele: Mm-hmm. It's a growing industry, entrepreneurs again, it takes all kinds. So the Ashley Madison security people didn't want to say this data dump is real, this one is fake, and so on. So they just said nothing. Right? And I can kind of understand that.
Kerry: They put their heads in the sand like an ostrich.
Michele: Well, you know, they didn't know what to say. But yeah, they kind of did. So now the data dumps continue. One is a list of Ashley Madison users by state. Another is more user data, like how much each user paid for services and the dumps just keep coming and coming and coming. Now, around this time, a couple of Canadian law firms file class action suits against Ashley Madison to the tune of $578 million.
Kerry: Oh my word.
Michele: The lawsuits complain that Ashley Madison's users' privacy was breached because of ALM's lousy security on their website data. The lawsuit also mentions users who pay the $19 fee to have their data deleted and the ALM apparently didn't do it because their data is showing up in the dump. Now, also around this time, The Impact Team, they do an interview over email with vice.com's Motherboard Magazine, where they claim they've been collecting data for years.
Kerry: Years?
Michele: Years, which is another clue that we will explore later. So they answer a whole bunch of questions from Motherboard. My favorite was when they were asked, what other data from Avid Life Media do you have? Meaning stuff they haven't dumped yet. They said they have 300 gigabytes of employee emails and internal documents and tens of thousands of Ashley Madison user pictures, some Ashley Madison chats and messages. Now, 1/3 of the pictures they collected were dick pics-
Kerry: Oh, good Lord.
Michele: -which they said they would not dump.
Kerry: Thank God.
Michele: I know, that's what the world needs, more dick pics.
Kerry: No, it doesn't.
Michele: Oh, by the way, if anyone out there actually does want more dick pics for a small fee, I will zip up all the ones I got sent on my Ashley Madison profile, and I will send them to you.
Kerry: For a small fee, get it.
Michele: Well, I just figure anybody who supports us on Patreon, you just ask and you shall receive. I will send them to you. No questions asked.
Kerry: Why do I get the feeling no one is going to ask for these.
Michele: I certainly hope no one will ask for them. I mean, I really don't want to look at all of them again, but I will if I have to zip them up to support the podcast somehow. So now back to The Impact Team's interview, they also had all employee emails they said, but they wouldn't be dumping them, maybe just the emails from some other executives, but not the rank and file employees, which is kind of, you know, polite of them.
Kerry: More evidence that they are Canadian.
Michele: Exactly. So around this time, toward the end of August, which very sadly, we start to hear about the suicides because of the data coming out publicly.
Kerry: That is sad. Who committed suicide and how do they know it was because of Ashley Madison?
Michele: There was one publicly known story of a pastor actually here in New Orleans, who committed suicide around this time and he mentioned Ashley Madison in his suicide note. And the Toronto Police have mentioned at least one more person but didn't give the person's name.
Kerry: That's horrible.
Michele: It is, isn't it? It's just sad that those folks were so ashamed that they saw suicide as the best alternative. I'm sure their families didn't feel that way. But then on August 28, just six weeks after the hack, CEO Noel Biderman announces that he is stepping down.
Kerry: Why?
Michele: Well, this is announced through an Avid Life Media press release and they don't really say. It's one of those generic announcements about being for the good of the company. But can you blame the guy for wanting to walk away from that mess?
Kerry: Not at all.
Michele: Around this time, writer Annalee Newitz- I love this woman- she published this great analysis of the data dump on the site Gizmodo, giving a pretty compelling argument that the vast majority of female profiles on Ashley Madison are bots.
Kerry: I am so shocked.
Michele: Me too. Now, at the time, ALM admitted that there were more men than women on the site, but they said it was by a factor of six to one or so. Like they said there were 31 million men and 5.5 million women.
Kerry: Wow.
Michele: Annalee Newitz gives this wonderful assessment of the Ashley Madison experience. And I quote, "This isn't a debauched wonderland of men cheating on their wives. It isn't even a sad scape of 31 million men competing to attract those 5.5 million women in the database. Instead, it's like a science fictional future where every woman on earth is dead, and some Dilbert like engineer has replaced them with badly designed robots"
Kerry: God! That's pretty accurate. Damn!
Michele: Oh God. Now she later amended her opinion somewhat after she got some additional intel on the databases and the data. What she found was, while there are maybe more women on the site than she originally thought, it's not a whole lot more. And even if all the data analysis is wrong, and there are actually 5.5 million women that Ashley Madison claims, a full 14% of those women are- get this- gay women looking for other women.
Kerry: Say what?
Michele: Yeah, Ashley Madison, they don't have bots to deal with gay women or gay men for that matter. So while the street femme bots are contacting the street dudes and trying to get them to sign up for a premium service, the gays are just left alone.
Kerry: How did that work out for them?
Michele: Pretty well.
Kerry: Cool.
Michele: From what Ms. Newitz can determine. So the irony is, the site actually seems to work well for gay people, maybe because they aren't constantly accosted by bots trying to check them up, and that leaves them the opportunity to meet real life people. Now, Ms. Newitz had only anecdotal data but it points toward the site being pretty good for the same sex people.
Kerry: Wow. Who would have thought?
Michele: All right. So on our timeline, we are now into September, and the press and the hacking community are still on something of a feeding frenzy with all the data that's been dumped. I mean, they are gorging themselves. Security firms and hacker groups confirmed things like the requirements for user passwords were abysmal, leading to people being lazy and using passwords like 123456, which is super easy to crack, and over 120,000 user accounts used that password.
Kerry: Over 120,000 accounts?
Michele: Mm-hmm.
Kerry: Hang on a second, maybe those accounts with the password 123456 were all fake bot accounts.
Michele: That is entirely possible. Wouldn't it be interesting to find out? In any case, any website in this day and age should not be allowing six character passwords. It's just wrong. Especially a site that used to brag about how secure they were, which Noel Biderman did on a regular basis before the breach. There was a bunch of other bad security too, like passwords for internal systems were being written into the programming code. So the password could never be changed. And at the same time, all someone had to do is pull up the program code and they could see the password right there.
Kerry: I know nothing, and even I know that's a bad idea. Why would someone put the password in the program?
Michele: Laziness or not really understanding security. Also the naive belief that the code will never be stolen and that it will always be safe from hackers.
Kerry: That is naive, isn't it?
Michele: It is. So, what was the fallout from all this? The media frenzy around the breach kind of died down just a few months later, and we didn't hear much more about it. Now, one landmark was in December 2016, a year and a half after the breach, when the Federal Trade Commission demanded Ashley Madison pay $1.6 million as a penalty for its failure to protect millions of users data.
Kerry: So is the site still up?
Michele: Yes. Surprisingly, Ashley Madison is still going strong. Now for a while after the breach, they were marketing the site as a place for polyamorous people to find partners. They kind of switched gears a little bit. And they had some weird ads for a while, like where a couple is out and they're both eyeballing this woman and looking at each other and looking at her, you know. But then they went back to their tagline from before, "Life is short, have an affair" Around the time of the breach, there were a lot of predictions that this was the end of Ashley Madison. I mean, nobody would ever trust them again. And if you're going to cheat on this site that promises you discretion, and then your data is going to just get stolen, no one would ever sign up for them again. Right?
Kerry: Men just think with their little heads, not the big ones.
Michele: Yes, so shocking, but true, they have continued to grow and grow. I mean, I really- I thought they would be through after the breach and the release of all that data, but they weren't. And now they have more members than ever. Maybe people are smarter, maybe now they go in, they open up some new Gmail account with some new, you know, completely new name, and they only check it on one computer. I don't know what people are doing, but they have more members than ever. Now, recently, we did have a little bit of uptick in activity around this. In February 2020, we started to see new reports of email blackmail are starting up again using the data stolen in 2015. So I guess in the five or six years since the hack, the blackmailers, they had time to look up the personal details of some of the people named in the hack and, you know, the emails that they're sending out now, they contain this trove of personal information, like the person's address, their login and password, some of their purchasing history, their messaging history, and even the names of some of the people they're related to, like their spouses and children. So these blackmailers, they've maybe had more time to piece together different pieces of information that were let loose in the original hack. They've had time to look things up in public records, like a spouse's name, you know?
Kerry: Okay, so you never told me who actually did the hack.
Michele: The eternal question, who did it?
Kerry: Who did it?
Michele: Now at this point, I think it's important to distinguish between the original hackers, the Impact team, and the blackmailers, which is a completely separate group of people. There's no evidence that The Impact Team ever sent out any blackmail emails, right?
Kerry: Got it.
Michele: They just wanted them to shut down the sites which ALM didn't do. And the members of The Impact Team were never caught. So nobody knows for sure who they are. But there have been some pretty good guesses. ALM has said that they know it was someone connected to the company. They hinted that it was a contractor and not an employee. So maybe it was some IT manager under contract, which is common for smaller companies. They don't need a full time IT person, so they have a contract who comes in from time to time. Now the IT person usually knows all the passwords, they know how to get into everything. They know where everything is kept. So that is a strong possibility. Now then there's John McAfee. He's famous for founding the McAfee security software company. Now McAfee, he personally did an in-depth analysis of all the things that The Impact Team said and came up with an educated guess. He says it was an inside job and a woman did it.
Kerry: Really?
Michele: Mm-hmm. You see The Impact Team, they put out a bunch of manifestos, like when they announced the breach and when they released the data with wording that called cheating men "scumbags" And one of the manifestos makes a reference to how awful some member was for signing up for Ashley Madison on Valentine's Day. Part of McAfee's reasoning is that in general, women take Valentine's Day a lot more seriously than men do.
Kerry: There's a little bit of truth to that, I think.
Michele: I think so. Not everybody, but, you know-
Kerry: Child, I worked in a firehouse and when Valentine's Day came around, these guys would do everything in their power to ignore it. "My wife thinks I'm going to send her flowers, I'm not going to send her any fucking flowers" Which was ridiculous. Just buy a card. Get it over with.
Michele: Right.
Kerry: But I think there is some truth to that, though.
Michele: Yeah. And, you know, we're talking here about he was doing profiling, you know, you can't necessarily get every detail right. But he was talking about the type of person involved in this. So The Impact Team also knew a lot about ALM's infrastructure, where the data was kept in what format and so on, a lot of stuff that an outside hacker would have to work pretty hard to get. But the information itself is not necessarily very valuable. So why would they try so hard to get this not valuable stuff? But the impact he knew all of it. And then there was an interview where The Impact Team said they've been collecting data for years. So these are some of the reasons why McAfee put forth that it was an inside job, probably a disgruntled female employee. And since Avid Life Media is headquartered in Toronto, all its employees are likely to be?
Kerry: Canadians.
Michele: Yes, polite Canadians who say things like, "We have stolen all your data, but instead of selling it on the dark web, we are going to give you 30 days to take down the site. Okay, now you have a little over 30 days. We hope that's okay. Okay, go find another job"
Kerry: Yeah.
Michele: Now, in his report, McAfee didn't bring up the Canadian angle. That is my contribution to the sleuthing.
Kerry: But he implies it by saying it was an inside job.
Michele: Yes, all the clues coming together. But since The Impact Team was never caught-
Kerry: We may never know for sure.
Michele: That is right. And that's the story of the Ashley Madison hack. I'm sure this one is a gift that will keep on giving just like the Equifax hack and many others with a long fallout. And now for the credits, my co-host is the intrepid Kerry Pakucko.
Kerry: Hello.
Michele: Our editor is Impish8, and transcript assistance is provided by Charity Cosme. And even though there are still dozens of impatient men waiting in vain for my reply on the Ashley Madison site, they're just going to have to wait. This is How Hacks Happen, signing off.