Ashley Madison is a Canadian site with a structure similar to a social network that connects people looking for extramarital affairs, secret adventures with partners other than the usual ones or simply new encounters. The service is paid and to register you need to provide several personal data, such as name, surname, date of birth, nationality, height, weight, eye and hair color and email address.
To activate certain functions of the site, guests can purchase, using payment methods that include the credit card, a series of self-renewing membership packages with which to interact with other users. At this point, each active account can be connected to a bank account and therefore to one precise identity.
Well, all this data, together with all the useful references to make an ordered collection, have been made public on the Internet at the end of July. There is therefore the possibility of knowing all the names and surnames of those who, for fun or out of real intent to betray, have used – and it is also possible to know how – the services of the Ashley Madison site.
The violation, which caused the CEO to resign Noel Biderman, has been claimed by a group of hackers calling themselves “Impact team“. The motive? The site, according to those responsible for the cyber attack, did not have a balanced number of active "female users" compared to that of male users.
Leaving aside the legal aspects, the terrible consequences – two American men and a Canadian committed suicide due to the embarrassment of having to explain the presence of their names on the list to their partners – and the grotesque aspect of the story, some conclusions can certainly be drawn teachings concerning the management of data security on the Internet, but also - and unfortunately - common sense.
First of all, the "Trusted Security Award" that stands out on the home page of the Ashley Madison website, as well as the "SSL Secure Site" padlock icon show that the security standards are not at all sufficient to make deliverers sleep peacefully in the hands of others such sensitive and personal information.
The fact that approximately 15.000 email addresses used for registration have ending “.gov” or “.mil”, speaks volumes about the ease adopted by average users in the use of IT tools made available within their working environment, for personal purposes.
Passwords were not stored in clear text, but via the bcrypt system. However, even this protection seems to have its days numbered. Many of Ashley Madison's executives had accounts on the site and used the services they provided. And they were the first to violate the most basic safety management rules of others and their own data. In their archives there were the historians of seven years of credit card transactions and the passwords of other payment systems such as PayPal, which appeared to have the typical connotations of poor reliability: short, repeated and easy to guess words.
Not to mention who has even used the messaging service of Facebook, which unequivocally links the identity of the person to the account on Ashley Madison, to register on the site.
There is an operation that, now, many casual users of the dating site are doing without realizing that they risk making the situation worse: searching for one's name, account, email, within the different sites that have popped up like mushrooms, to see if it is part of those spread on the Internet. As simple and fast as doing a search on Google, without having to go and download the entire amount of data, but the risk is that these can collect and reveal precisely that confidential information that it is feared has been disclosed, but which has not yet or which awaits a simple one confirmation...
One of these tools, for example, sends emails to people whose address has been searched for by someone within the search engine and then offer advice on how to act or how to find out more about your alleged presence on the list.
Moral of the story: on the Internet, despite the so-called “cloud era“, entrusting your data – more or less compromising – to unknown third parties does not guarantee that the care that the algorithms and expert hands can take is greater than that which the legitimate owner would have. Distribute this data online for convenience it also represents a considerable increased risk factor.
