The hack itself is an old story; Ashley Madison was hacked and profile information stolen. What is new is that the group behind the hack, Impact Team, dumped all the data. It has now been made available by many legitimate folks who created searchable online services against the data.
As much as I could enjoy the schadenfreude in this story, I simply cannot. I’m compelled to point out that just because an email is in the database does not mean it is a legitimate account. Email is a notoriously weak verified identifier, and while many websites have a sign-up flow for email verification, many don’t do anything to purge unverified emails. My thesis is that even unverified emails harvested in the sign-up flow have value for marketing purposes and, therefore, remain in the company’s database.
My email, firstname.lastname@example.org, has been used by far too many “jnolans” to count. Often signing up for mundane services like car buying sites, but also for things that would certainly make my wife ask questions, like BlackPeopleFinder.com and an unrelated service for making arrangements with dominatrixes for a variety of, well, services.
The amount of crap I get from websites I have never visited is simple extraordinary. My oldest son has a gmail address that is first name only and I purge over a thousand emails from his account each month, and he’s only used it a few times for sending schoolwork.
The Impact Team has shrewdly wrapped themselves in a veil of moral righteousness to conceal a criminal act. While they aren’t stoning adulterers in the town square – or beheading them in a stadium – they are stealing personal information and using that in a form of extortion.
I find the entire affair, no pun intended, reprehensible and while AshleyMadison is itself objectionable, they are also a victim (of stupidity first and foremost). Despite complete awareness of the risks to the company and their customers, they did not employ best practices to secure their data. In addition to that, they had a sign-up flow and password recovery process that made it exceptionally easy to determine whether or not an email was in their user database. The flawed password recovery feature allowed for an entirely different line of attack employing social engineering to hijack individual accounts.
I won’t shed any tears if they shut down, which they likely will because recovering now is all but impossible, but I won’t celebrate the fact that a group of hackers brought their demise. To do so would welcome a global online sharia law where only those services that pass a moral test can exist.
PS- yeah, I searched for my email in the database! Who wouldn’t?
(Cross-posted @ Venture Chronicles)