Ashley Madison Compromise

Last month Brian Krebs reported that the Ashley Madison database was compromised. Ashley Madison is a dating site that targets married folks who are looking to have affairs. Needless to say, there is a lot of risk for users if their data is found on the released data. Today what is supposedly the Ashley Madison data was released.
The release of this data can have some significant impacts on the site members. Of course there’s the problem of credit card numbers being stolen, but that’s something most of us have to deal with on a regular basis. But there can also be significant relationship repercussions if/when a spouse discovers that their partner has registered on a site to have affairs.
When I first heard of the compromise I wondered if they had my data. You see, they have one of my spamtraps on their unsubscribe list. It just so happened that I visited an unsubscribe link, hosted by Ashley Madison (http://unsub.ashleymadison.com/?ref=2). This was during the time when I decided to unsubscribe from all the spam coming into one of my spamtraps. Is my email address going to be a part of this data dump? If my email address is there, what name do they have associated with it? This is the trap that gets mail addressed to multiple other people. Maybe it’s my email address but their name. Are they at risk for relationship problems or legal problems due to my attempt to unsubscribe?
Of course, Ashley Madison had no incentive to make sure their data was correct. In fact, they were sued for faking data to entice paying members. How much of the released data is false and will there be real harm due to that?
I expect in the next few days someone (or multiple someones) will put up a website where those of us who are curious can search the data. I just hope that people realize how much of the data is likely to be false. Even Arstechnica cautions readers from jumping to conclusions.

Assuming the download turns out to be authentic, people should remember that it was possible for anyone to create an account using the name and e-mail address of other individuals. That means an entry for a given individual doesn’t automatically prove the person was behind it.

Still. There are probably a lot of people worried about this release of data.
 

TXTing
Linking identities to email addresses

Related Posts

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Read More

First spam to Epsilon leaked address

This morning I received the first two spams to the address of mine that was compromised during the Epsilon compromise back in April. Actually, I received two of them. One was the “standard” Adobe phish email. The other was similar but referenced Limewire instead of Adobe.

Read More

Password security

Many of us have lots of accounts on various networking sites, but how much attention do we pay to password security?
If you haven’t heard, someone managed to compromise the Associated Press’ twitter account today. Not only was the account compromised, but they put out a fake tweet claiming that there were explosions at the White House and President Obama was injured.
DowPlungeA funny prank? Maybe. But tweets like this have a real world effect. For instance, the stock market plunged 140 points after the initial reports, rebounding when people realized it wasn’t true.
It’s not clear how the AP twitter password was compromised. There are many possibilities including classic social engineering through to compromised machines inside AP with password sniffers on them.
The lesson here is that we’re all targets, even ‘soft’ seeming targets like social media accounts. Practice safe computing.

Read More