The Ashley Madison Hack Part 1

When Ashley Madison got hacked, it made international headlines. Why? Because it wasn’t just a major event. It demonstrated how there’s information even more sensitive, even more significant than your credit card, or your social security number: your secrets.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon’s. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Steve Ragan

Senior Staff Writer at CSO Online. Prior to joining the journalism world in 2005, Steve Ragan spent 15 years as a freelance IT contractor focused on infrastructure management and security. He's a father of two and rounded geek with a strong technical background.

Episode transcript:

The Ashley Madison Hack

Maria’s email account had recently been broken into–so when news broke that the Ashley Madison website had been hacked, the thought of her information being where it shouldn’t was fresh in her mind. Using an online search tool, she decided to check if her email was somehow registered on the site: it wasn’t. Thinking nothing of it, she also put in her fiancee’s email address.

Suffice to say: the wedding was canceled.

Rick’s marriage was going on two decades, and he had a couple kids to show for it. Somewhere along the way, he and his wife had lost something–perhaps it was his three hour commutes to a tiring corporate job, or her overwhelming duties as a stay-at-home mom.

Then Rick hit a full-on midlife crisis: buying a motorcycle, even getting a tattoo. He was on a binge, for things exciting. It led to him thinking about an affair. He never did anything with his Ashley Madison account, but after the site got hacked, Rick received a blackmail letter threatening to reveal his membership. Instead of calling the bluff, Rick owned up to his wife about what he’d done.

She left out the front door that evening. Luckily for Rick, she’d eventually return home the next morning. He and her were about to begin a long journey to healing.

John was a pastor, and an educator. He had a wife and two children, and in his spare time, he enjoyed restoring automobiles. John had struggled with depression and addiction in his past, but was known among his students as a great teacher with a penchant for fun.

John’s name was included in Ashley Madison’s leaked user accounts. Before his wife was able to find that out for herself, she found his body and a suicide note.

“[Cluley] It was bonkers. It was completely crazy because the media grabs hold of this story like no data breach that I had ever seen before and I think when you know the details of what the Ashley Madison website was designed to do, it’s maybe no surprise that the British tabloids and indeed the press around the world, TV stations, radio, everybody, wanted to talk about this adultery site, which was being hacked.”

Hi, I’m Ran Levi, welcome back to the Malicious Life podcast By Cybereason.

Ashley Madison is a website for cheating spouses, sort of like a reverse eHarmony, or maybe an amoral Tinder. The service is owned and operated by Avid Life Media Incorporated–heretofore referred to as ‘ALM’–now under the name Ruby Corporation, based in Toronto, Canada. Noel Biderman founded the company, and could most often be found in suggestive promotional photographs–smiling, perhaps creepily, with one finger to his lips. Due to the covert nature of the Ashley Madison service, most of the public had been either unaware of its existence, or of its sheer popularity. They’d claimed, for example, to sport a user base of 37 million people from over 40 different countries. At one point, that just seemed like an outlandishly high number.

When Ashley Madison got hacked, it made international headlines. Why? Because it wasn’t just a major event. It demonstrated how there’s information even more sensitive, even more significant than your credit card, or your social security number: your secrets.

The Impact Team

July 19th, 2015. It was 9:00 p.m. on a Sunday night when Brian Krebs, an infosec blogger, received a tip–an email, from an anonymous informant.

We are the Impact Team. We have hacked [ALM] completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.

ALM has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails.

“Established Men”, for background, is another ALM site, which connects young women to sugar daddies. A hacker or hackers calling themselves “The Impact Team” had just posted this online manifesto, to the website, claiming to have stolen all of the ALM company’s data.

To demonstrate they were serious, the Impact Team included some of Ashley Madison’s internal data in the post: including samples of user information, and a mapping of the company’s internal network.

The reaction to the first Ashley Madison data dump was swift and loud. It became international news, and 37 million people around the world began to hyperventilate. While CEO Noel Biderman personally admitted to reporters what happened, publicly–as Ashley Madison customer service lines became overloaded–company representatives refused to acknowledge the legitimacy of the attack. Those who called in with questions and complaints in those first days were given a range of excuses, or were simply disconnected from the line.

Now there was a ticking clock. Would they comply, or call the hackers’ bluff? The company was able to wipe the hackers’ original data from the internet. Noel Biderman seemed to believe they’d caught the culprit. He told Brian Krebs: “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.” A press release from the company ended with a quote from a partnering IT expert: “I have no doubt, based on the work I and my company are doing, ALM will continue to be a strong, secure business”. Key words: “continue to be”. It didn’t appear that the company would be backing down from the fight.

Behind the scenes, ALM knew as much about their hacker at the moment of Biderman’s statement as you do about that same hacker right now. Still, with the fate of the company at stake, something had to be done.

Whoever The Impact Team was, they were careful to cover their tracks. They dumped a sneak peek of the stolen data on the dark web, only accessible via an anonymous network client that leaves no trace of its users. Information about it leaked out through anonymous tips to the media. Within the doors of ALM, no trace of intrusion was found. In essence, the criminal robbed the house and left no DNA, no fingerprints behind.

Really, all researchers had to go on was the data itself, and speculation.

“[Ragan] I am Steve Ragan, Senior Staff Writer at CSO Online and one of the reporters who covered the Ashley Madison stuff back in 2015.

There are some clues you can take away from the communications. English is probably not their first language. But they are proficient in English. So they’ve been educated. They know network and hacker parlance.

But when it came to sentence structure and things like this, they weren’t fluid, like a natural speaker would be. They were more – it’s hard to describe what I’m thinking here. They were not nuanced like a natural speaker would be. Like fluid and in the conversation you and I are having.”

Some pointed to the nature of the breach as evidence that it must have been conducted by a current or former employee. Because who else could’ve had that level of access to ALM’s internal databases, right? Notice how this was all based in speculation. John McAfee of McAfee Security, who claimed with “100% confidence” that ALM’s hack was an inside job, also claimed to be sure of the hacker’s gender. How? Because they referred to men as “scumbags” and emphasized Valentine’s Day in their manifesto.

You see what I’m saying here? Nobody really knew anything.

It didn’t help, either, that ALM didn’t have much of a security apparatus in place. One would imagine that, for a company that deals in secret sexual affairs, security would be of highest priority. And yet, in analyses of Ashley Madison’s cyber defense infrastructure after the hack occurred, experts pointed out some notable, if not glaring, flaws in how they handled their ultra-sensitive data. Here’s Graham Cluley, a cybersecurity journalist and blogger.
“[Cluley] We do know that some of their security was quite weak. For instance at first, the passwords which were exposed, we thought they were significantly strong enough and hashed well enough and encrypted well enough that they couldn’t easily be cracked. Then it was later revealed that actually there were bugs in the coding done by Ashley Madison. So that I think it’s something like 15 million of the passwords were relatively easy to crack and once again we have the problem there of people reusing passwords on the multiple sites.”

The findings Graham is referring to come from the work of a hacking team called “CynoSure Prime”. CynoSure is a small group, with a small following, that refers to themselves as “a password research collective.” .” Their work on the Ashley Madison data dump, however, was anything but modest –all in all, revealing almost as much about ALM and its users as the Impact Team themselves did. To understand how they did it, you have to know a little bit about a cryptography principle called “hashing”.

Hashing 101

You know those people with really convoluted signatures? They can be really nice or really messy, but either way you’re like “how in the world did he get from ‘Ran Levi’ to that jumble of nonsense scribbles?” A hash is kind of like that, but for computer files.

Different hash algorithms work in different ways, but in each case, you start off with a file–whether it be a movie, a page of text, anything–and the bits of information that make up that file get processed through the algorithm. The result will be a number that might seem totally random – but, crucially, just like a signature, each hash is the specific result of the input data it represents. Even if my signature appears random to you, it’s not: it’s specifically based on my name, and it’s not subject to change regardless of the day, time, how I’m feeling when I write it, how many times I write it, why I’m writing it, what I ate just before I wrote it, anything.

Bottom line is that hashes need to appear random so that they reveal nothing about the data they represent. However, because they aren’t random, they can, theoretically, be reverse-engineered.

In Ashley Madison’s case, most of the passwords were hashed, or cryptographically obscured, using a strong hashing function that would make them practically bullet-proof to reverse engineering. However, 15 million of those 36 million hashed passwords stored in their databases contained a specific variable–a token CynoSure called “$loginkey”–hashed using “MD5”. MD5 is a hash algorithm designed in 1991. By 2004, MD5 was considered “broken”. What does this mean? Well, hashes are built to be fast but not too fast–fast so that the hashing process doesn’t take so long, but not too fast, because any hash that’s so quick to process is also quick to crack.

MD5 is kind of like the ‘90s boy band of cryptographic hash functions. It was good for its time–like when The Backstreet Boys were catchy but not too annoying, MD5 was fast but not too fast. With the computing power available today, however, it’s far too quick to crack. Even a regular laptop can do the job. By the time of Ashley Madison’s hack, MD5 wasn’t just broken, it was broken, shredded, and tossed in the can. Like busting out some New Kids On The Block on Spotify, you could say it’s better than nothing, but that’s about all you can say for it. MD5 is so weak by today’s standards, in fact, that even you or I could possibly break it. Here, I’ll demonstrate. Let’s say the data I’m going to hash is the string: “podcast”.

Let me…

I’m going to a website online that will auto-generate an MD5 hash for the password “podcast”, in all lower-case.

Got it.

Okay, here’s my hash: ac9cef…it goes on for 27 more characters, but i’ll spare you the rest of it.

Sounds complicated, right? Kind of like nonsense. But remember what you just learned about hashing: each character in that hash is directly drawn from the data I put in: in this case, the string “podcast”. If my string were “podcasd” with a “d”, the hash would be entirely different–not just randomly different, but specifically different, to reflect that new string.

You may think: how in the world would I be able to crack this hash function, if I didn’t already know the data it represented?

Try this.

I’m now on…

I’m going to copy and paste my hash into the search bar and…

Walla! Three of the first four search results read “Podcast”, “Podcast – Names and nicknames for Podcast” and “Podcast”. That’s not a coincidence: simply by doing a Google search, I was able to reverse-engineer this hash result to reveal the string it was supposed to be obfuscating. Now do you see quite how broken MD5 is? Google won’t work for every MD5 hash–especially passwords more complex than “podcast”–but it’s telling that, at least under certain parameters, cracking an MD5 hash takes only the same amount of effort as, say, finding out how old I am. The answer, by the way – too old.

CynoSure was able to reveal 11 million passwords in their first 10 days’ work, and the other 4 million shortly thereafter–in total, over 40 percent of the passwords from the site–by exploiting the MD5-hashed tokens.

CynoSure also posted some of their favorite passwords, which range from dumb to dirty to just sad. Sad, like the folks who chose “I think i love my wife,” “Why are you doing this,” and “Cheaters never prosper,” to enter in every time they accessed the site. Then there were those who were more introspective, like “just checking it out” and “good guy doing the wrong thing”, those who were catching onto the whole Ashley Madison scam, like “nobody here” and “they were robots”, and those who thought they were clever, like “my password is password,” “the best password ever,” and “this is a good password.”

“A Fun Place”

Now, back to the week of July 20th, 2015.

With no leads on who their attacker might be, the only question left for ALM to ask was who might have wanted to do harm to their company. That, of course, is harder to answer when you’re talking about a website promoting and facilitating marital infidelity.

As I mentioned earlier, some thought the hacker or hackers might have been a disgruntled employee or two, or maybe someone with close ties to the company. How else would they have known so much about ALM’s internal systems?

You might be interested to learn, though: ALM’s employees, on the whole, seemed to have a pretty good life at the company. For all the sleaze and amorality of their service, you’d think their office headquarters would be filled with bad dudes being inappropriate and coming up with evil plans. Actually, it was quite the opposite. Employees were paid handsomely, and there was free beer at the office. The Financial Post–a business-oriented paper based in Canada–spoke with a number of former employees who all described the office as, quote, “a fun place that cared about its employees.”

There was, of course, another side to working at ALM. Those who spoke with the Financial Post had to do so anonymously, because to work for ALM requires signing a nondisclosure agreement lasting long past your death. Those who did speak described their own work with words like “scummy” and “blatantly manipulative”. They described calls from anguished family members, laying the blame on Ashley Madison for ruining their families, even threatening the lives of the customer service representatives and their families.

It appears all Ashley Madison employees lived with this lingering dichotomy, of their daily lives and the underlying, dirty thing they were helping to make. Still, anyone working for ALM would have known what they’d signed up for from day one. If it were a former employee who hacked the site, what reason would they have for doing so? If it were a disgruntled customer, or family member of a customer, how could they have had such deep knowledge of ALM’s computer systems necessary to accomplish so successful a hack?

The Impact Team, despite how careful they were, did leave small clues to their identity in their manifesto. Among their issues with the lewd and immoral nature of the Ashley Madison service, the quote “fraud, deceit and stupidity of ALM and their members,” the hacker or hackers also took issue with one particular feature of the website. Ashley Madison offers a “full delete” feature, whereby users can shut down their account and wipe all trace of it from the ALM’s database for a payment of $19.99. Because of the nature of Ashley Madison, the feature is invaluable. The Impact Team pointed out that they were able to find the data on all users in the site’s history, including those who paid for a full delete. The delete function was, it turns out, purely cosmetic, and fraudulent.

Why did the Impact Team care so much about the full delete fraud? If the hacker was some vengeful wife of an Ashley Madison user, why would she give it any mind? It seems like the sort of thing a former account holder might care about. Or maybe an employee. The manifesto, it seems, only raised more questions than it answered.

And then there was one more mystery left unsolved. When Brian Krebs tweeted out his story introducing the Ashley Madison hack to the world, he got retweeted by one account that seemed particularly notable. Why notable? Because if you were to click on that account on that day, you’d have seen, among other things, this tweet: “Ashley Madison Source.”. It received no likes and one retweet. It was also posted before any single media outlet, including Krebs, got word of the story. In other words: this had to be the Impact Team, or at least someone with close ties to them.

Thadeus Zu

Thadeus Zu, @deuszu on Twitter, is a cryptic figure. His name even sounds like some sort of comic book villain, though we can assume it’s fake. His social media pictures are stock images, often of various African-American male models. He pretends to live in Hawaii–even setting his account’s time zone to Hawaii’s–but some digging around indicates he is Australian. For five years he’d been tweeting prolifically, sending out hundreds and hundreds of messages per month despite receiving little to no response to any of it. Sometimes he brags about hacking government websites–other times, the tweets tend to take the form of 140-character dramas. Here’s one string of messages that he posted just before the Ashley Madison hack:

“I turned away from all of that when most folks will do anything to have power, wealth and riches. The best decision I had ever made.

Then, I simply turned up in Canada. Lived there for a year. That was the beginning of my new life. Free as ever as I can even imagine.

And then, I simply disappeared.

While on the same time, lining up everything that I will need for my long voyage through another life that I had always wanted.”

That Zu claims he moved to Canada–where ALM is headquartered–would not have otherwise been notable, if not for a bevy of other red flags surrounding his account.
A few days after the first Ashley Madison data dump, Toronto police gave an otherwise standard press conference on the matter, with a few interesting tidbits of information. They revealed that ALM actually first became aware of the hack on July 12th, one week before news of it went public, when employees at the company found an intimidating notice from the Impact Team on their computer screens, accompanied by the song “Thunderstruck” by AC/DC. AC/DC, for those who don’t know, is a band which, like Zu, originates from Australia. An astute Thadeus Zu follower might note a tweet of his from August 4th, 2012, to a Dutch cybersecurity company whose website he’d just hacked into. “Next time it will be Thunderstruck. #ACDC”.

Twelve hours before first news broke about the attack, Zu was tweeting up a storm. In one, addressed to a contact who, presumably for privacy reasons, he does not tag in the post, Zu writes: “Settle down, amigo. We are setting up a replication server so we can get that show started.” The tweet included a screenshot of the sort of replication server a hacker might want to set up, say, if they were holding onto stores of sensitive corporate data and wanted to release it to the public without fear of losing their copy. If you saw this screenshot yourself, you might notice another tab open in Zu’s browser screen: the YouTube video for AC/DC’s “Thunderstruck”. The show, evidently, was about to start.

In later posts Zu denied being the perpetrator of the ALM hack. His role in the events, and his true identity, remains unknown to this day. In fact, even weeks after the initial attack neither ALM, their hired security nor Canadian police could find their culprit. You could call this a huge failure. Or you could point to all the evidence that the Impact Team meant business–that they’d breached every corner of ALM’s servers, that they were willing to release the most sensitive data online, and that they did it all without leaving a trace behind. Perhaps ALM’s biggest failure was underestimating their opponent. Both Ashley Madison and Established Men stayed online, essentially goading the Impact Team to do their worst .

In the end, they would.

What happened when The Impact Team released a 60 gigabyte data dump stolen from ALM’s databases? That will be the topic of our next episode, the 2nd and last installment of the Ashley Madison Hack series. We’ll explore the fall out of the hack, and how it was used to blackmail innocent and even unrelated people, including one of our guests. We’ll also talk about the inner workings of Ashley Madison and how bots were used to dupe clueless customers. All this and more, next time on Malicious Life.

Part 1 credits:–Aa4M484QM