Ashley Madison hack puts 37 million at risk of blackmail

Updated | Thirty seven million users of extramarital dating site Ashley Madison are at risk of being blackmailed after hackers stole information including nude pictures and credit card data from the site it emerged last night.

Hackers calling themselves the Impact Team claim to have completely compromised the user database and financial records of the site, which caters for anonymous married customers looking to have an affair.

The hackers leaked internal data, including the company's bank account information, and are threatening to leak customers' credit card details and secret sexual fantasies unless Ashley Madison and a partner site called Established Men, which matches wealthy businessmen with young women, are taken offline permanently.

A statement from Avid Life Media (ALM), parent company to the two sites, said that all private customer data which was leaked has now been removed and that they were working with law enforcement to trace the source of the attack.

The hack, first reported by computer security site Krebs on Security, was confirmed last night by Ashley Madison chief executive Noel Biderman. The hackers claimed it was motivated by a $19 (€17.50) fee which the site charged users to permanently erase their profile via its 'full delete' feature.

"Full Delete netted ALM $1.7m [€1.6m] in revenue in 2014. It's also a complete lie," wrote the hackers. "Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."

ALM declined to comment on the allegations.

The hackers also referred to users of the sites as "cheating dirtbags" and said that "many rich and powerful people" would be compromised by the release of user data.

In April, Ashley Madison CEO Noel Biderman told Newsweek that his site had 1.3 million registered users in Spain, 1.1 million in the UK, and between 60,000 and 70,000 each in France, Italy and Germany.

Professor Alan Woodward, a cybersecurity expert at the University of Surrey who advises Europol on cybercrime, says customers' sensitive information is now at risk of falling into the hands of organised crime.

"What happens with the data [obtained by hackers] is that it then gets sold on. You might find that the hackers in this case know organised crime gangs that specialise in blackmail and they'll sell it on to them," says Woodward.

He estimates that a 'fulz' - slang for a personal record including name, address, date of birth and National Insurance number - can sell for £10 (€14) each on the black market.

"If you do a few million of those, it's worth quite a lot of money. So it is big business and organised crime is very interested in buying this data because it allows them to do things en masse," he says.

The Ashley Madison hack comes less than two months after AdultFriendFinder, a dating site which matches users based on sexual fetishes and preferences, was hacked and confidential information from 3.5 million users was leaked.

Dating websites have also been targeted in so-called internet romance scams, where criminals pose as soldiers on tour or nurses in remote locations and seek to extort people looking for love on the sites. A Europol investigation recently seized more than €2.5m from a Nigerian gang based in Italy who were trawling dating websites and scamming users.

Ashley Madison recently announced plans to float on the London Stock Exchange later this year and has previously claimed to be a "recession-proof business". Besides Ashley Madison and Established Men, ALM also runs Cougar Life, which seeks to match older women with young men and claims to have more than seven million members.

Update: Ashley Madison have released a statement clarifying that the full delete option mentioned above does remove all information, including pictures and messages sent to other users. The company has now said they are offering the full delete option free of charge.