How Did Ashley Madison Get Hacked?
Contact Us | |
Free Demo | |
Chat | |
How did Ashley Madison get hacked? Take a look back and relive one of the biggest hacks of 2015, from the first data dump to the CEO resigning, with our updated timeline.
As the news surrounding the Ashley Madison hack rolls on at breakneck pace, keeping up with the latest developments in the story has been challenging. My goal in this post is to provide a one-stop, continuously updated timeline to cover the key events in the Ashley Madison data breach. Check this page for new updates on what is shaping up to be one messiest data breaches of all time and let us know in the comments if anything is missing.
Ashley Madison Hack Timeline: Key Events in the Ashley Madison Data Breach Story
Avid Life Media Employees Get 'Thunderstruck'
July 12, 2015: Avid Life Media (Ashley Madison's parent firm) employees log in to find a message from Impact Team threatening to release company and customer data unless the Ashley Madison and Established Men websites are shut down. Impact Team's ransom message is accompanied by the AC/DC song "Thunderstruck."
Impact Team Announces Hack of Ashley Madison
July 19, 2015: Impact Team publishes their warning message on Pastebin, this time setting a 30 day window for Avid Life Media to shut down the sites before the information is released. The warning is followed by an article from security journalist Brian Krebs announcing the Ashley Madison data breach.
Avid Life Media Responds
July 20, 2015: Avid Life Media issues two statements acknowledging “an attempt by an unauthorized party to gain access to our systems” and announcing a joint investigation conducted by Ashley Madison, law enforcement, and the cybersecurity service provider Cycura.
Impact Team Releases Two Ashley Madison User Names
July 22, 2015: Impact Team releases the names and information of two Ashley Madison users - a man from Brockton, MA and a man from Ontario, Canada - in the first data leak to come from the hack.
'TIME'S UP' for Ashley Madison: The First Data Dump
August 18, 2015: Impact Team's 30 day window expires, but Ashley Madison and Established Men are still online. In a Pastebin post titled "TIME'S UP," Impact Team publishes the first major Ashley Madison user data dump, a torrent file containing nearly 10gb of user email addresses. Media outlets and researchers alike scramble to analyze and validate the data.
Another Statement from Avid Life Media
August 18, 2015: Following the first data dump, Avid Life Media issues another statement on the hack detailing their investigation and asking for information on the incident.
Ashley Madison User Emails Published by Category
August 18, 2015: A categorical breakdown of the email addresses disclosed in the first data dump is posted to Pastebin, revealing many government, military, and corporate addresses that were used to sign up for Ashley Madison accounts.
First Data Dump Confirmed Real
August 18-19, 2015: After a nearly day-long media frenzy met with much speculation over the validity of the leaked data, Brian Krebs discloses that numerous Ashley Madison account holders have confirmed that their information was published.
Ashley Madison Search Websites Appear
August 19-20, 2015: As researchers continue to sift through the first data dump, search websites pop up that let users search to see if their email addresses were leaked.
Impact Team Makes Second Ashley Madison Data Dump: CEO Emails, Source Code, and Internal Data
August 20, 2015: Impact Team leaks a second major dump of Ashley Madison data. Unlike the first, which was primarily user data, this dump contains nearly 20 gigabytes of mostly internal data, including Avid Life Media CEO Noel Biderman's emails and Ashley Madison website source code. A 13 gigabyte file containing Biderman's email is found to be corrupted, and is quickly replaced with the release of a 19 gigabyte file of the CEO's email data.
Impact Team Claims to Have 300gb of Ashley Madison Data - "No Security"
August 21, 2015: In an interview with Vice, Impact Team claims to have over 300 gigabytes of hacked Ashley Madison data. When asked to provide details about their attack, Impact Team claims that it was easy: "We worked hard to make fully undetectable attack, then got in and found nothing to bypass." As for Avid Life Media's security, "Bad. Nobody was watching. No security."
Impact Team Makes Third Ashley Madison Data Dump: More User Data, Personal Details
August 23, 2015: The Ashley Madison data dumps continue with a third round of Pastebin leaks. Leaked data includes a full list of government emails used for accounts (sorted by department) as well as lists of Ashley Madison users in Mississippi, Louisiana, and Alabama. User information published includes email addresses, mailing addresses, IP addresses, signup dates, and total amounts spent on Ashley Madison services.
Ashley Madison Hit with $578M Class Action Lawsuit
August 24, 2015: Two Canadian law firms announce a joint $578 million class action lawsuit against Ashley Madison on behalf of all Canadians, citing Ashley Madison's 39 million users whose information has been exposed as well as the many users who paid Ashley Madison's delete fee but did not have their information removed.
Toronto Police: Tragedy Linked to Ashley Madison User Data Leak
August 24, 2015: In the most tragic news to come out of the Ashley Madison hack, Toronto police report two suicides following dumps of user data.
Ashley Madison Offers $500,000 Reward for Information
August 24, 2015: Following the announcement from the Toronto police, Ashley Madison offers a $500,000 bounty for information on Impact Team or the attack.
Brian Krebs: Ashley Madison CTO Hacked Competing Site
August 24, 2015: After analyzing many of Noel Biderman's emails that were leaked in the second data dump, Brian Krebs publishes an article stating that there is evidence that Ashley Madison founding CTO Raja Bhatia had hacked competing dating site nerve.com in 2012. The leaked emails also included messages from Ashley Madison director of security Mark Steele warning Biderman of multiple cross-site scripting and cross-site request forgery vulnerabilities in their codebase. Steele's emails were as recent as May 25, 2015.
More Data Dumps: User Data by State
August 25-26, 2015: The data dumps continue with state-by-state leaks of personal data of Ashley Madison users from New Jersey, New York, California, Georgia, and Arkansas appearing on Pastebin.
Leaked Ashley Madison Users Face Blackmail Threats
August 27, 2015: Just over a week after the first major data dump, reports of blackmail and identity theft targeting leaked Ashley Madison users surface.
Avid Life Media CEO Noel Biderman Resigns
August 28, 2015: Noel Biderman, whose emails were leaked in the second major Ashley Madison data dump, stepped down on Friday. In a statement from Avid Life Media, the resignation "is in the best interest of the company and allows us to continue to provide support to our members and dedicated employees."
New Statement From Avid Life Media Denounces Media Claims of Phony Female Users, Claims Site Membership Still Growing
August 31, 2015: Avid Life Media releases another statement, this time in response to claims in the media that nearly all of the female profiles on the site were fake or never used. The statement defends the popularity of Ashley Madison, claiming that hundreds of thousands of new users are signing up every week.
Hardcoded Security Credentials Found in Ashley Madison Source Code
September 9, 2015: Security researcher Gabor Szathmari announces that he has discovered poor security practices in Ashley Madison source code, the worst offense being hardcoded security credentials including "database passwords, API secrets, authentication tokens and SSL private keys." Aside from hardcoded credentials, Szathmari also noted that the website didn't employ form or email validation to help screen out bots. Citing numerous critical security risks for Ashley Madison's systems, Szathmari's discovery sheds some light on potential methods that could have been used in the attack.
CynoSure Prime Exposes Ashley Madison Password Failures on Both Ends of the Equation
September 10, 2015: A blog post from a cracking group called CynoSure Prime exposes that Ashley Madison failed to use a robust encryption strategy for its user passwords, allowing the group to crack over 11MM passwords in just 10 days. CynoSure Prime expects to have another 4MM cracked within the next week. The group published an analysis of the top passwords used by Ashley Madison members, who also exhibited poor password security. According to the group, "123456" was the most popular password amongst Ashley Madison users, with over 120k accounts using it to protect them. Much like Gabor Szathmari's discoveries a day earlier, this discovery offers some security "lessons learned" for both businesses and end users:
Companies: Encrypt sensitive data effectively!
Users: Adopt a strong password strategy!
Recommended Resources
All the essential information you need about DLP in one eBook.
Expert views on the challenges of today & tomorrow.
The details on our platform architecture, how it works, and your deployment options.