Brian Krebs reports that Ashley Madison, a self-proclaimed site for extra-marital affairs, has been successfully breached. The attackers, a group calling themselves the “Impact Team,” claim they’ve stolen a significant trove of internal information that includes personal details on some, if not all, of the site’s 37 million users. Avid Life Media (ALM), who owns Ashley Madison and other adult-oriented sites such as Established Men and Cougar Life, has confirmed the attack, but not the scope of the data theft.

By Christopher Budd, Threats Communications Manager at Trend Micro
“Putting offline AM (Ashely Madison) and EM (etablished Men) will cost you but if you do not do, it will cost you even more money, allegedly wrote a message in the group claim. We will disseminate the all customer data, including profiles with their sexual fantasies, their nude photos, transactions by credit card, real names and addresses, and all documents and e-mails employees (…). ”
The attackers have issued a simple set of demands: close down AshleyMadison and Established Men immediately, or they will release users’ personal details. Interestingly, their demands do not extend to other ALM-owned sites like Cougar Life.
This isn’t the first online attack to result in an act of extortion. Companies have been threatened for years with crippling distributed denial of service (DDoS) attacks that could take them offline if they didn’t pay up. Three things make this attack and these demands:

• Motivation behind these attacks seem to be driven by a kind of moralistic “hacktivism”
• It’s the latest in a string of attacks and data theft that shifts victim’s consequences from pure money loss (like credit card theft) into the realm of life-impacting events (like blackmail)
• The first instance of extortion where the price asked is the life of the business itself

Analyzing the apparent motivation for this attack, we only need to look at the announcement/threat posted by the Impact Team to see that this is a “hacktivist” attack with a new twist (two actually). They call out the sites that enable bad or immoral behavior (infidelity in the case of AshleyMadison, prostitution/exploitation in the case of Established Men). The Impact Team also calls out ALM on its claim to “promise secrecy but [not] deliver.” The Impact Team cites ALM’s promise to “scrub” subscriber details for a US $19 fee was bogus and that user data is still stored. In this last regard, the hack is similar to the recent Hacking Team attack – an act of vigilantism against bad corporate behavior.
In terms of consequences, we’ve seen the ground shift in the past 12 months. A year ago, in the wake of the Target and other retail data breaches, people were concerned their credit/debit card data had been lost. Now, in the wake of the Anthem, Premera, CareFirst, IRS and OPM compromises, we are worried about much more serious, personal data leaks – information that could be used in a worst-case for blackmail with much more serious real-world consequences than just the loss of some money.
It’s the high-risk associated with collecting and storing comprehensive sensitive data that is giving these attackers the courage to make the boldest online extortion demand seen yet—“go out of business or face the consequences of us releasing this data.” The nature of the stolen data makes the threat credible and the possibility that going out of business may be the lesser of two evils. It also brings us back to the motivations of these attackers. They don’t want money, they want these sites eliminated.
As of right now, we don’t know how this will play out. We do know, however, that this represents another significant escalation in terms of what attackers are doing and could do. It’s no longer just about credit cards and money, it’s about people’s lives and livelihoods.
Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.