A Timeline of the Ashley Madison Hack
The news about the Ashley Madison hack has broken out at a very fast pace. Keeping up with the current story can be challenging, so here is a one-stop solution for that. Here we cover the timeline of key events during the Ashley Madison leak of data.
Key Events in the Ashley Madison Hack
July 12, 2015: Employees at Avid Life Media get “Thunderstrucked”
Employees of the Ashley Madison’s parent company, Avid Life Media, start their day normally in the office except for a message from “Impact Team” that’s ordering them to release both company and customer data or else their websites would be shut down. This seemingly random message is accompanied by the classic AC/DC song “Thunderstruck”.
July 19: Ashley Madison Hack is Officially Announced
The Impact team now publishes their warnings on Pastebin as they set a 30-day deadline for Avid Life Media to shut down all their websites or else all the information will be released. The warning is then followed by an article coming from Brian Krebs, a security journalist, announcing the Ashley Madison hack.
July 22: Two Ashley Madison User Names Released
The Impact Team releases two names and other personal information from Ashley Madison users. One man from Brocktown, MA and another from Ontario, Canada. This is the first data leak to actually come out of the Ashley Madison hack.
Aug 18: Ashley Madison Runs Out of Time
The 30-day deadline from the Impact Team expires but both Ashley Madison and Established Men websites are still up. A post titled “TIME’S UP” appears on Pastebin and the first major user data dump is published by the Impact Team. Around 10GB worth of personal data was released containing email addresses. Researchers and the media try to analyze and verify the data.
Avid Life Media issues a second statement about the hack right after the first data dump. It details their investigation and is asking for any leads on the incident.
The first data dump is then categorically broken down just hours after it was initially released. It was posted on Pastebin as well and it revealed many government, corporate, and even military addresses used for Ashley Madison accounts.
Within the next 24 hours, the Ashley Madison leak was confirmed real. Brian Krebs disclosed that several account holders say that their information was indeed published.
Aug 19-20: Ashley Madison Search Websites Go Up
Several people create websites that allow users to search if their email address and other personal information are among those leaked.
Aug 20: Second Data Dump from the Impact Team
The second data dump stemming from the Ashley Madison hack was different. While the first one contained mostly user data, the second contained 20GB worth of internal data including emails made by Avid Life Media CEO Noel Biderman. It also included the source code of the Ashley Madison website.
Aug 21: Impact Team Claims Ashley Madison has no Security
The Impact Team notes that there was essentially no security within the Ashley Madison website. They were able to get in without any problem. And from that, they were able to acquire over 300GB worth of data from the website including internal and personal information.
Aug 23: Third Data Dump Reveals More Names
The third Ashley Madison leak data dump has more users quivering as it contained more user data. It shows a full list of government emails used to create accounts. Aside from email addresses, the data dump also included sign up dates, IP addresses, mailing address, and even total amount of money spent on Ashley Madison’s services.
Aug 24: $578M Class Action Lawsuit against Ashley Madison
A joint $578 million class action lawsuit was announced by two Canadian firms on behalf of all the Canadians affected by the leak. It cited that Ashley Madison’s 39 million users’ privacy was breached as their information were exposed due to lack of security. It also cited users who paid the company’s “delete fee” but their data was apparently still there.
Tragically, Toronto police also announced two suicides on this day which apparently were connected to their information being leaked.
Ashley Madison then announces a $500,000 bounty on the attackers following the announced suicides.
Security journalist Brian Krebs publishes an article on the same day as well that shows evidence of Ashley Madison founding CTO named Raja Bhatia hacked a competing dating site in 2012 called Nerve.com. It also shows that Ashley Madison Director of Security Mark Steel has warned the CEO, Noel Biderman, several times about vulnerabilities in their codebase. These warnings were as recent as May 25, 2015.
Aug 25-26: Data Dumps by State
The data dumps continue from the Impact Team as they release personal data of Ashley Madison users by state including New York, New Jersey, Georgia, California, and Arkansas. All of these were posted on Pastebin.
Aug 27: Ashley Madison Hack leads to Blackmail Threats
A week after the first data dump due to the Ashley Madison hack, reports of blackmail and identity theft against Ashley Madison users come to light.
Aug 28: CEO of Avid Life Media Noel Biderman Resigns
Ten days after the initial data dump and 8 days after his emails were leaked due to the Ashley Madison hack, CEO of Avid Life Media Noel Biderman steps down. In a statement, he notes that his resignation is for the best interest of the company and it allows them to support the members and dedicated employees.
Aug 31: Avid Life Media Releases Statement, Claims Site Membership still Growing
In another statement, Avid Life Media says that they still receive hundreds of thousands of new users every week. It also counters the media’s claims that nearly all female profiles on the website were fake or have never been used.
Sept 9: Security Credentials found Hardcoded in Ashley Madison Source Code
Gabor Szathmari, a security researcher, announced that he discovered that Ashley Madison had poor security practices. One of the worse offenses is hardcoding security credentials such as database passwords, authentication tokens, API secrets, and SSL private keys. He also noted that there were no measures to screen out bots. He cited numerous security risks that led to the Ashley Madison hack.
Sep 10: CynoSure Exposes Password Failures
A cracking group called CynoSure released a blog post that exposes Ashley Madison’s failure to use robust encryption stratigies for its user passwords. This allowed the group to hack over 11M passwords within 10 days. The group also published the top passwords used by Ashley Madison members showing that “123456” was the most popular one and the least secure of course. Over 120k users use that password.
The Ashley Madison hack teaches us one thing, do not be lax when it comes to security. Encrypt sensitive data. Use all and any tools possible in order to secure data and ensure that only verified users are able to access your system. It might save your entire operation.