Ashley Madison, noted online home of serial adulterers, has confirmed that yes, someone did rummage through its 37-million-strong user database. But the company also denies that it was swindling customers over the ‘paid-delete’ option, and has managed to take down any information leaked thus far.
In a statement issued earlier today, Ashley Madison owners Avid Life Media (ALM) confirmed a “criminal intrusion” into its systems, although it doesn’t comment on the extent of any data loss.
We originally learned about the hack thanks to a post from the hackers themselves, a group dubbed The Impact Team, who posted a sample of information online, along with a manifesto demanding the takedown of Ashley Madison and related site CougarLife. That post quickly vanished, along with the leaked user data. Keeping a secret on the internet (especially one with such salacious details) isn’t normally easy, but ALM seems to have succeeded, using the Digital Millennium Copyright Act to quash any mirrors.
In its slightly rambling manifesto, The Impact Team claimed that ALM’s paid-delete option, a £12 service that promises the deletion of your personal info from ALM’s servers (which, for the record, sounds like bullshit from the outset), was misleading. According to the hackers, ALM retained credit card and address info even after you’d paid your £12.
But according to ALM, that’s not the case: “contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity.”
Notably, that doesn’t mention the credit-card info used to pay the £12 removal charge, which is what the hackers claimed that ALM was hanging onto in the first place.
In either case, it’s been 24 hours, and AshleyMadison is still very much online.
The full statement is posted below:
We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We apologize for this unprovoked and criminal intrusion into our customers’ information. We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online.
Contrary to current media reports, and based on accusations posted online by a cyber criminal, the “paid-delete” option offered by AshleyMadison.com does in fact remove all information related to a member’s profile and communications activity. The process involves a hard-delete of a requesting user’s profile, including the removal of posted pictures and all messages sent to other system users’ email boxes. This option was developed due to specific member requests for just such a service, and designed based on their feedback.
As our customers’ privacy is of the utmost concern to us, we are now offering our full-delete option free to any member, in light of today’s news.