First a 10Gig dump with the full Ashley Madison database. Then a 20Gig dump with their whole Github repository, and then to top it all off a 300G(!) dump. In an interview with Motherboard the hackers claimed to have data which includes employee emails, internal documents, nude photographs, and private chats between members. However, the Impact Team said it would not release explicit photos of AshMad customers, but did not rule out publishing the private chats and other photographs posted through the adultery website.
When asked about AshMad security, they said "Nobody was watching. No security", when it broke into their servers repeatedly over the past few years. One hacker said, "[We] got in and found nothing to bypass."
The release last Tuesday contained customer data belonging to U.S. government officials, British civil servants and high-level executives at European and North America corporations. We have a copy and will make it available for security purposes. However...
Should You Check For Employees' Emails?
Well, this is a field mired in MANY problems. It's not a can of worms, it's a can of scorpions. First, it depends on your organization. Any government employee that has a clearance (and that is true for many
government contractors as well) is in immediate risk of losing that clearance if they are found to have been engaged in infidelity, as they become a target for blackmail.
Apparently not everyone was smart enough to obscure their real-life identity using a webmail address, though. Robert Hansen, VP of WhiteHat Security found well over 13,000 email addresses from .MIL and .GOV domains and a handful of congressmen among the hacked data. He also identified a substantial number of addresses from various Fortune 500 companies like Microsoft, Cisco, Apple, and Bank of America. Perhaps the most shocking revelation is that Hansen found three accounts using
Vatican.com email addresses.
Here is one of the first real examples of AshMad extortion:
Unfortunately, your data was leaked in the recent hacking of Ashley Madison and I now have your information.
If you would like to prevent me from finding and sharing this information with your significant other send exactly 1.0000001 Bitcoins (approx. value $225 USD) to the following address:
1B8eH7HR87vbVbMzX4gk9nYyus3KnX
Sending the wrong amount means I won't know it's you who paid.
You have 7 days from receipt of this email to send the BTC [bitcoins]. If you
need help locating a place to purchase BTC, you can start here.....
The legal repercussions of scanning the database for email addresses with an organization's domain name need to be clarified and well-understood before that scan is done, each corporate lawyer will have to look into that based on their individual organizational situation.
After that determination, IT and/or HR can look into this database, and see if any organizational email has been used or compromised, which then would have to be deleted and a new email address issued to that user, either with mentioning the reason (or omitting it) again based on Legal's advice.
I could envision you scanning the AshMad database for your domain name, and issuing new creds to employees found, simply with a generic mention that the address was compromised.
A major risk is end-users going to websites that claim to show if their name is in the list. Many of these will be phish-bait and anything typed in will be used for a variety of nefarious purposes or infect their workstation. Any organization should warn their users to watch out for attacks like that. See my recent blog post:
It is clear that educating your users about these risks is very important. If you have not done so already, find out how affordable Kevin Mitnick Security Awareness Training is for your organization, and be pleasantly surprised: