Leaked emails from Avid Life Media CEO Noel Biderman reveal that a disgruntled user of the online cheating service Ashley Madison hacked hundreds of the site’s user accounts in 2012.
These latest emails, leaked by the hacking group known as “The Impact Team,” follow several other large data dumps posted to the dark web last week which revealed everything from government accounts to company source code.
After a 13GB file alleged to contain Biderman’s emails was found to be corrupted Thursday, a revised version was posted the following evening to the hacker’s Tor hidden service. Despite the torrent being incomplete, Infowars was able to extract the file and obtain nearly 200,000 emails.
One such email from Biderman in October of 2012 details how one Ashley Madison user “hacked” multiple accounts and attempted to extort the company.
“Yesterday a user of our site ‘hacked’ a number of accounts on Ashleymadison.com by running a script that would guess at their password,” Biderman wrote. “He then contacted us and attempted to extort free ‘credits/membership’ from us.”
Retaliating against Ashley Madison for allegedly creating fake female profiles, the hacker, who specifically targeted fellow users in Brazil, used the script to breach any account with the password “123456.”
In an email to the company the hacker claimed to have “made a video accessing each and many other profiles,” listing out several account usernames before demanding a lifetime membership.
“All these users have passwords 123456…” a translation reads. “I await urgent return!!!”
In response, Avid Life Media reset the passwords of affected users and began crafting a “very threatening letter” with “scary concepts” regarding legal action in an attempt to stop the hacker from contacting the press.
“He has threatened to release this information to the media if we do not give him a free lifetime membership within 24 hours of yesterday’s communication,” the employee wrote. “We of course cannot comply with this extortion, since tomorrow he will ask for something else.”
Avoiding a potentially damaging legal scandal, the company was able to stave off media attention after the hacker agreed to delete any obtained data in exchange for a full refund.
A rough translation of a written contract signed by the hacker lists several conditions to the agreement including the hacker’s promise that his remarks were not legitimate threats.
“I do not have any intention of harming the accounts retained by your customers and if at some point the communication I sent were considered threats, this was only defect in communication, since I did not have any intention of threatening them,” the second point reads. “I have no more intention of using the services and I agree with the lock of my account and my access.”
Although minuscule in comparison to the current hack, the incident illustrates how “private” data stored online is constantly vulnerable to attack.
Avid Life Media Inc. and Avid Dating Life Inc. now face multiple class action lawsuits totaling more than $578 million for the latest breach.