Lessons from the AshleyMadison.com Hack

Peter : On Rad's Radar?
| Peter Radizeski of RAD-INFO, Inc. talking telecom, Cloud, VoIP, CLEC, and The Channel.

Lessons from the AshleyMadison.com Hack

In case you live in a cage, a month ago a hacker group broke into Avid Life Media systems and commandeered all of their data. That's right - ALL.

ALM owns a couple of dating sites, most notably AshleyMadison.com which has the tag line: Life is short; have an affair. The hackers were mad that ALM is basically scamming its users. About 90% of the members are male; many of the female profiles are fake; and ALM charge you a pretty penny to delete your account.

The hackers gave ALM 30 days to take down the sites or the data would be released. They didn't - and it was. Last night.

"The Ashley Madison hack is in some ways the first large scale real hack, in the popular, your-secrets-are-now-public sense of the word. It is plausible--likely?--that you will know someone in or affected by this dump," John Herman wrote.

On twitter one message stood out to me: Journalists, remember that you are outing people - and suicide is a real possibility. Take care with this info.

What lessons can we learn from this hack?

Nothing is private - at all. Ever. Not Snapchat and it's disappearing images. (They don't disappear. They are stored.)

I am often amazed at the level of dumb in this country. Using government email addresses for this account instead of Gmail, Yahoo or Hotmail?

"Here were millions of people expecting the highest level of privacy that the commercial web could offer as they conducted business they likely wanted to keep between two people (even if a great number of the emails are junk, or attached to casual gawkers, the leak claims to contain nine million transaction records). This hack could be ruinous--personally, professionally, financially--for them and their families," Herman states.

Keep in mind: "Readers should understand that if this dump does turn out to be legit, that just finding someone's name, email address and other data in the archives doesn't mean that person was a real user. As the above-mentioned Graham Cluley points out, AshleyMadison never bothered to verify the email addresses given to it by its users." noted from Krebs Security.

Companies do not take security seriously. It is overhead. It is a pain in the ass. They get a $100 million cyber-security insurance policy to cover approximately 65% of the Target hack.

Ubiquiti Networks was the victim of a cyber-heist to the tune of $46M. That was a social engineering hack foremost. What company even spends a little bit of money on security training and password management?

It is amazing how much data an e-commerce site collects. ALM had 37M records consisting of billing addresses, emails, passwords, date of birth, gender, ethnicity, payment history, phone numbers, credit card info, security questions, sexual preferences, and website activity. Identity theft and blackmail material for certain.

In an age of CryptoLocker ransonware, viruses, malware, key loggers, and even your ISP logging your every move, privacy is an illusion. In the name of technology, we have traded in any privacy at all for toys and convenience.

We have to be smarter about our online activity, especially Millennials and younger.

You would think that after this - and Target, the federal government and Anthem - it would be easier to sell security services. Unfortunately, everyone thinks it won't happen to them. News flash: the list of un-hacked sites is probably smaller than the list of hacked ones. Many of these hacks went undetected for up to 15 months!

Right now everyone should be changing passwords, but they won't. Companies should be scheduling password and security training, but they won't. IT Directors should be checking to see if default accounts are still active and unchanged on systems and gear. People should be updating operating systems and anti-virus software and at the very least running a malware scan, but they won't. This is why we have these issues.

Lastly, backup your critical data - to dvd or flashdrive or any of the numerous inexpensive online drives. Either take actions like these now - or pay for it later. And later is coming. You are not immune.


Troy Hunt has good read and a way to check if your email is in the data and you were pwned.

Related Articles to 'Lessons from the AshleyMadison.com Hack'
Featured Events