Hackers Claim ‘Profile-Deletion Service’ Prompted Ashley Madison Cheater Leak

07_20_AshleyMadison_01
Ashley Madison founder Noel Biderman demonstrates his website on a tablet computer during an interview in Hong Kong on August 28, 2013. Bobby Yip/Reuters

Couples around the world had an awkward breakfast this morning.

The notorious infidelity-focused website AshleyMadison.com, whose slogan is “Life is short. Have an affair,” was compromised by hackers, investigative journalist Brian Krebs first reported on Sunday night.

An unidentified hacker or hackers, who go by the name “the Impact Team,” got hold of sensitive customer information, including the company’s user databases and financial records, and posted a small portion online. The hackers claim they published the stolen information in response to a misleading profile-deletion option that Avid Life Media (ALM), Ashley Madison’s Toronto-based parent company, offers its customers.

ALM claims that customers can pay $19 to have their profile completely erased, including usage history and personally identifiable information. This, according to the hackers, is untrue, and information like names and addresses are retained.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers wrote in a manifesto accompanying the leak. “Too bad for ALM, you promised secrecy but didn’t deliver.”

Ashley Madison alone has 37 million users, but hackers also got hold of information from ALM’s other hookup sites, Cougar Life and Established Men. The hackers are threatening to post more customers’ sensitive information online if ALM doesn’t take Ashley Madison and Established Men down. They wrote:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

ALM Chief Executive Noel Biderman confirmed the hack, telling Krebs that the company is “working diligently and feverishly” to take down the stolen information. Several of the sources of the leaked information are no longer accessible. Biderman added that he believes the perpetrator may have once had access to the company’s networks—a theory supported by the hackers’ public apology to the company’s director of security.

“Our one apology is to Mark Steele (Director of Security),” the hackers wrote. “You did everything you could, but nothing you could have done could have stopped this.”

Biderman added, “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication.... I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

On Monday morning, ALM released a public statement apologizing to its customers.

“We’re not denying this happened,” Biderman told Krebs. “Like us or not, this is still a criminal act.”