8/19/2015 UPDATE: Yesterday the full 10 Gigabyte database was released on the Internet, with all records including confidential files related to the company itself. People that registered on this site are now easy social enigineering targets.
Brian Krebs wrote: "Update, 11:52 p.m. ET: I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.
ORIGINAL POST: Again, we have a nightmare phishing scenario with the brand new AshleyMadison (AM) hack. A few months ago, the Adult Friend Finder (AFF) website was hacked, and now their biggest competitor.
AM is one of the most heavily-trafficked websites in the U.S. and has 37 million registered users, some will overlap with AFF though. A rough guess is that 10% of your users may be very worried at this time that their sexual preferences and/or activities are going to come out. These end-users are a security breach waiting to happen.
Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to the users of the hookup service, whose slogan is “Life is short. Have an affair.”
The data released by the hacker or hackers — which go by the name The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.
Here Is The Problem
Any of these 37 million registered users is now a target for a multitude of social engineering attacks. Just one example: you can imagine that a man married to a woman but who is hunting down gay hookups on the side could easily be blackmailed or receive a spear phishing email with a poisoned link that infects his workstation.
People that have extramarital affairs can be made to click on links in emails that threaten to out them. I already see the phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands.
Mass media has not jumped on this yet, but you can count on this breaking news hitting the press big time. If any of your users has registered on AM, they are going to be worried about it. This is a nightmare phishing scenario. Jilted spouses, divorce attorneys and private investigators are undoubtedly already going to pour over the data.
What To Do About It
I suggest that again you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users. Feel free to edit.
"A few months ago, news broke that the Adult Friend Finder website was hacked. Now it's AshleyMadison, their biggest competitor. These sites are for people who want to cheat on their spouse. The site has 37 million registered users, and these records are now out in the open, exposing highly sensitive personal information. Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening messages like this that slip through and delete them immediately."
As you can see, stepping your users through effective security awareness training is an absolute must these days. For KnowBe4 customers, we have a new Social Networking template that lures people into clicking on a link to the "haveibeenpwned" website to see if their personal sensitive information was hacked. The subject of the template is "RE: Pictures from your Ashley Madison account were leaked"
PS: If you have not done so already, find out how affordable Kevin Mitnick Security Awareness Training is, and be pleasantly surprised.
Related Pages: Phishing