Hackers have stolen and leaked the personal details of users of Ashley Madison – a site that hooks up people who want to have affairs.
A group or individual known as The Impact Team claimed to be behind the attack and that it had data on all of Ashley Madison’s 37 million users and its partner sites, Cougar Life and Established Men, all owned by Canada’s Avid Life Media (ALM).
The Impact Team claims to have access to the company’s user database and is threatening to release all of the information unless the site is taken down. So far the group has released 40MB of data which include credit card details as well as internal ALM files and documents.
ALM confirmed that the hack took place and told CNBC it has managed to take down all the personal information that was posted online by the hackers.
“Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the…posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online,” ALM said in an emailed statement.
“Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available.”
It is unknown how many people managed to see the leaked adultery site’s personal details. Ashley Madison has always been a controversial site. Earlier this year, in an op-ed for CNBC, the service’s CEO Noel Biderman explained why people cheat.
“Cheating is like the secret glue that keeps millions of marriages together. I would cheat before I would leave,” he said.
The Impact Team stated its reason for the hack which seemed to relate around a data retention practice. The hackers said that ALM had lied to users when it said it would remove personal details from its sites for a $19 fee.
The hackers claim that the full delete feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” but users’ purchase details – including real name and address – aren’t erased.
“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group claimed in a manifesto, according to Krebs on Security, the site that broke the story.
“Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
At the time of publication, CNBC was awaiting a comment from ALM on Impact Team’s accusations.
Speaking to specialist security blog “Krebs on Security”, Biderman said that the work may have been done by a former employee or contractor.
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said.
“I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
The Ashley Madison hack follows a similar attack on another dating website called Adult FriendFinder earlier this year.