There’s this German word I love: Schadenfreude. It’s one of those weird words that doesn’t really have a direct English translation, but it roughly means taking joy at other people’s misfortune. It basically describes how I feel about what’s been happening to Ashley Madison recently.
Ashley Madison, for those not in the know, is a dating site that focused on facilitating extra-marital affairs. It can be thought of as the Facebook of philandering, with over 37 million registered, adulterous users. As is so often the case with dating websites, the overwhelming majority of their subscribers (between 90 and 95 percent) were men.
Here’s where the schadenfreude kicks in. They were recently hacked by Impact Team – an otherwise unknown band of hackers – who threatened to leak their entire database unless the cheating website (and companion sites Established Men and Cougar Life) was shut down.
Avid Life Media, who own Ashley Madison, refused to comply. Earlier this morning, 9GB of data from the site was dumped onto a Tor darknet website. It contained everything. Not just usernames and emails, but also internal emails, corporate documents sexual preferences, biographical data, and even GPS locations. Ouch.
Going through a dump… This wasn't a database hack. This was full scale pwnage of the entire company. Domain hashes, internal docs galore.
— Dave Kennedy (ReL1K) (@HackingDave) August 19, 2015
If you were caught up in the Ashley Madison leak, allow me to express a sincere and Nelson Muntz-like haw haw. I must admit, I’m not terribly sympathetic. But still, as a security writer I feel obliged to tell you a few things.
Change Your Passwords
Ashley Madison were thoroughly and utterly owned. There’s no escaping that. But I should give them credit for having some pretty sensible security procedures.
Passwords in particular were obfuscated using bcrypt; one of the most secure, one way hashing algorithms. In particular it was nice to see they weren’t storing passwords in plaintext, or the near-useless MD5 hashing algorithm.
The amount of sheer computational power required to break a bcrypt password is immense. That means if you used a secure, complex password, the odds of it being decrypted are relatively slim. But if you use a common or weak password, you should expect your password to be soon become public knowledge.
Either way, you’d be advised to change your passwords on any sites where you used your Ashley Madison password and never use it again.
Think About Credit Cards
Included in the data dump were records of financial transactions dating back to 2007. These included names, street addresses, emails, amounts paid, but not entire credit card numbers. Each of these records contains a four digit number that’s largely assumed to be either a transaction code, or the last four credit card numbers.
This in itself isn’t that much of a problem. There’s not a lot you can do with the last four digits of a credit card. But some companies do allow you to verify your identity with it.
You might remember in 2012 when Wired columnist Mat Honan had his entire digital life eviscerated. Everything from his Apple mail, to his Google accounts. Even his Macbook and iPhone were remotely wiped.
This was made possible because Apple allowed people to authenticate with only the billing address, and the last four digits of a registered credit card.
It might be a bit paranoid. Hell, I’ve often been accused of being such. But if I got caught up in the Ashley Madison hack, I’d immediately cancel my card, and disassociate it from any of my online accounts.
Expect To Be Punished
Here, I really want to stress something. If you were caught up in the Ashley Madison hack, you should realize that private, intimate details about your life and sexual preferences have been made public. What was once personal is now open for the world to see. That’s just something you have to deal with.
It’s worth pointing out that when dating websites have been hacked in the past, it then resulted in the users being vigorously and thoroughly trolled, and their digital lives being flipped upside down.
When 4chan denizens hacked an unnamed Christian social network in 2009, they were able to make off with emails and passwords. These were then used to gain access to Facebook accounts, where the hackers then posted obscene, racist or lewd messages to embarrass the owners.
I didn’t agree with that then, and I wouldn’t agree with it now. That said, it wouldn’t be remotely surprised if something similar happened this time.
According to CSO Online, about 14,000 US government and military emails were found in the dump. British daily The Telegraph has said there were scores of .gov.uk emails. If you were one of them, don’t be surprised if you get in hot water with your employers.
By now, odds are pretty high that there are some tabloid hacks sifting through the leaked dump, probably with the help of someone who knows SQL. They’ll be looking for celebrities and politicians. If you are a public figure and used Ashley Madison, you can pretty much expect to be thoroughly and publicly disgraced.
Although, as we recently saw with Gawker, that’s probably not a good thing.
Every media outlet frantically combing through the Ashley Madison dump should pause for a moment and think of Gawker.
— Aaron Sankin (@ASankin) August 18, 2015
As anyone who’s read Jon Ronson’s magnificent So You’ve Been Publicly Shamed (or, for that matter, watched his latest TED talk) knows, we all share an incredible capacity for collective outrage and public shaming.
Start Making Amends
If you were on Ashley Madison, it’s safe to say you’re probably in a bit of hot water at home. That’s bad news for you, but great news for a few other people:
The Ashley Madison hack will be really bad for a lot of people. Great for divorce lawyers and florists though!
— Matthew Hughes (@matthewhughes) August 19, 2015
Firstly, you should apologize. If your significant other isn’t speaking to you, perhaps send her an emailed apology. Maybe you could take a leaf from Robin Thicke’s book and write her an entire album.
If that doesn’t work and you have to move out of the house for a few days, check out these 10 search hotel search engines.
It’s Going To Get Messier
At the time of writing, the Ashley Madison dump has been online for about 12 hours. It’s still very early days. I predict that in the week to come, we’ll see a lot more public embarrassment. A lot more marriages ended, and careers disrupted. It’s going to get messy, indeed.
Already, we’ve seen sites that facilitate access to the leaked data. There’s ashmadlookup.com, which simply confirms whether an email was in the database.
There’s also haveibeenpwned.com, who are taking a slightly different approach. Here, the data is only accessible for those who have verified their email address with them, due to the incredibly sensitive nature of the data.
So, what advice does Impact Team have for you?
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
You can’t argue with that. Ashley Madison systematically failed to protect their customers. I don’t doubt they’ll find themselves in court in the months to come.
Over To You
Were you impacted by the Ashley Madison breach? Do you know someone who was? Want to talk about it? Drop me a comment below, and we’ll chat.