The data stolen by The Impact Team from online infidelity dating website Ashley Madison has been released online. The data includes GPS locations, sexual preferences and credit card details of affected users.
In case you weren’t aware Ashley Madison suffered a breach almost a month ago in which consumer data for roughly 37 million users was stolen.
For more details and Mark James’ comments at the time please refer to this blog post.
In this post we will primarily look at how the data could be abused now that it is in the wild and what people (both Ashley Madison users and otherwise) should be on the lookout for.
What to watch out for?
“The biggest concern has to be targeted phishing emails around this story.” Says Mark James, ESET IT security specialist.
“We will see a flood of emails supposedly from different sources stating possible things like your details are on this list and they can be removed by following this link and even charging a small fee to do so, we always see it.
“Most people will ignore it but a few will be duped into following the instructions to avoid any embarrassment even if they know it’s not true: often it’s the fear of being associated even if you really have not been involved at all.”
An unusual problem with this breach, compared to other we’ve seen of late, is the potential for blackmail or even the attempted blackmail of people who aren’t AM users.
Particularly as AM didn’t always validate their users email addresses, as is standard when creating an online account for almost anything. This means that your email address could be part of the stolen data even if you didn’t have an active account.
Who is to blame?
Attribution is a constant headache when it comes to breaches: do we blame the company for lacking security even though no system is ever 100% secure? Or do we blame the cybercrims who went out of their way to breach a system?
The result is often a 50/50 split including fines for the company in question if they are found to be lacking and prison sentences for the crims if they are caught.
“Apart from the obvious elephant in the room regarding a website designed to cheat on your partner the blame comes from both sides,” as Mark elaborates.
“The website themselves are partly to blame for not protecting the systems from abuse. Whilst I appreciate you can only do so much it is often the case in these examples that silly simple mistakes are to blame for the hack or breach.
“Then of course we cannot forget the actual people who broke into the systems and stole the data, stealing is wrong regardless of the reasons or the methods.”
How will this breach develop?
We will almost certainly see targeted phishing attempts and blackmail as a result of this breach but how will it shake out in a few months’ time?
“Realistically the question has to be asked “do people really care”, our data is compromised on an almost daily basis these days and this is no exception.
“Of course this particular incident is a delicate subject but ultimately it’s just another breach of someone’s servers allowing our data to be released into the public domain.
“Anyone associated needs to ensure they monitor their finances, change any passwords and ensure their internet security products along with operating systems and applications are all up to date and patched to the latest versions.”
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.