Ashley Madison data breach leads to extortion attempts

The fallout from the Ashley Madison data breach continues.

In case you’ve missed the backstory, Ashley Madison was (still is, in fact) a dating site with a difference.

The site openly promotes itself as a way of hooking up with people who are already in relationships, using the tagline “Life’s too short. Have an affair,” and calling itself “the most famous name in infidelity and married dating.”

Ironically, the site also advertises that is has “over 39,470,000 anonymous members” and that it is the world’s “leading married dating service for discreet encounters.”

Many existing customers will be seriously doubting the veracity of the words anonymous and discreet following what seems to be a recent and rather large data breach.

Hackers first claimed to have cracked into the site, and threatened a large-scale dump of user data.

That was followed by a 10GB dump of what was said to be Ashley Madison user data, with security reporter Brian Krebs confirming that at least some of the records in the dump panned out as valid.

Flushed with success, it seems, the hackers soon doubled down on the original 10GB dump by publishing another 20GB of alleged user data.

With that sort of exposure, when Ashley Madison’s website says, “As seen on BBC News, Reuters, The Sun, The Telegraph, The Times,” the company isn’t kidding!

Demanding money with menaces

Unsurprisingly, crooks have now jumped on the breached data and are using it to demand money with menaces.

Brian Krebs has already published a confirmed example as a warning of what to look out for, but that single example seems to be something of a drop in the ocean.

Indeed, Krebs says that he became aware of the scale of the extortion problem when an email filtering company contacted him to say that they were taking special measures just to block outgoing extortion attempts from rogue users of the service.

(The company concerned uses a freemium model where users get modest email volumes for free but can sign up and pay for added services if they want.)

The extortionist called out on Krebs’s site is relying on the already-dumped data, saying that he won’t contact the victim’s spouse if he receives BTC1.00000001, currently just under $200:

Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.

If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins...

That extra one-hundred-millionth of a bitcoin, by the way, is known as a satoshi, after Satoshi Nakamoto, the inventor of the Bitcoin system, and represents the smallest fraction of a bitcoin that can be traded.

What to do?

Should you pay?

We can’t think how that could possibly help, considering that the blackmailers are using data that has already been published.

In the case of ransomware, where crooks are holding a key to unlock your scrambled data and offering to sell it back, we urge readers not to pay up but acknowledge that there is a purpose, and a likely positive result, in doing so.

Either the crooks send you something you need, and you breathe a sigh of relief at getting your data back; or you just wasted $300 and are stuck without your data anyway.

In the ransomware case, your dealings with the crooks are clearly circumscribed, because once they send you the key, you’re out of trouble, and they lose the threat they’ve been holding over you.

That’s why ransomware crooks have made so much money: word got about that paying up, no matter how galling, actually worked.

But in the case of blackmail on the basis of stolen data that has already been published, there’s nothing to stop the same crook, or another, coming back again and again.

In any case, there’s nothing to stop your spouse from finding the data independently anyway.

There’s also the knotty problem that finding a name, address and email address in the dumped “infidelity” data doesn’t actually say anything at all about the fidelity of the person who uses that email address.

A footnote

You probably take great pains to filter your inbound email for spam, as a way of reducing the levels of annoyance and risk to your users.

But many people don’t make the same effort, or even any effort at all, to filter outbound email.

Here’s a great example that shows why it’s worth it!

What’s leaving your network may be not only an embarrassment to your business but also a handy indicator that there’s an internal security problem you need to fix.