The Ashley Madison Hack Part 2

It turns out the Impact Team was not playing around. ALM called their bluff and lost. 37 million people’s lives were now subject to flipping upside down. 37 million of their partners, and many other children of marriages were liable to be exposed to truths they weren’t ready to hear.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon’s. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Steve Ragan

Senior Staff Writer at CSO Online. Prior to joining the journalism world in 2005, Steve Ragan spent 15 years as a freelance IT contractor focused on infrastructure management and security. He's a father of two and rounded geek with a strong technical background.

Episode transcript:

Ashley Madison: Part 2

August 18th. 2015.

In big, bold letters: “Time’s Up!”

ALM has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.

Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.

Hi, I’m Ran Levi, welcome back to the Malicious Life podcast, by Cybereason.

Almost exactly one month after their first warning, the Impact Team posted a link to a data dump stored on the dark web, cryptographically signed with a PGP key, only accessible via a Tor client. At the other end of the link sat 60 gigabytes worth of information, stolen from the databases of ALM Incorporated. Contained within: street addresses, credit card numbers and names of individuals who’d signed up for the Ashley Madison website.

Intriguingly, the intimidating note attached to the Impact Team’s big data dump–the one I just read to you, in full, was visibly empathetic. For a person or group who knew their actions would ruin millions of relationships worldwide, the author of the post seemed to want to calm those implicated by the dump. To Ashley Madison’s users: “embarrassing now, but you’ll get over it.” To the spouses: “Chances are your man signed up on the world’s biggest affair site, but never had one.” You might even read some guilt in this short post, when the author tries to deflect blame for the dump on ALM rather than themselves.

Regardless, it turns out the Impact Team was not playing around. ALM called their bluff and lost. No matter the cause, no matter the intention, 37 million people’s lives were now subject to flipping upside down. 37 million of their partners, and many other children of marriages were liable to be exposed to truths they weren’t ready to hear.

Yes, I know about your secret, that you paid for services from a company that specializes in facilitating adultery. But what makes me a threat to you is that I have also spent several days getting to know about you, your family and others in your life. All you have to do in order to prevent me from using this information against you is to pay me $2000. And before you ignore this letter consider this: You received this via first class mail. It wasn’t a spam email some Nigerian sent to thousands of people. That means I spent money on it. It means I took extensive counter-forensics measures to ensure the Postal Inspector would not be able to track it back to me via post marks or via prints and DNA. It means I paid cash for a printer that couldn‘t be traced back to me. I have spent considerable time and money on you. So if you decide to ignore me, you can be certain that I sure as hell won‘t ignore you.

What you just heard is a sample from a letter submitted to Graham Cluley, a researcher and writer whom you’ve heard in previous episodes of Malicious Life, from an anonymous reader of his blog. That letter demonstrates some of the ways extortionists capitalized on the Ashley Madison hack, and used clever psychological manipulation tactics to blackmail victims of it.

Here is how that letter I just read to you started (I’ll use my own name in place of the actual one listed):

Hello Ran, you don’t know me but I know you very well. As you likely know, the Ashley Madison website was hacked a little while back and in the process some personal information from tens of millions of their clients was compromised. As scary as that sounds, most of their families will never find out. First, they would have to actively seek out the information. Second, the files containing the information are multiple gigabytes in size and are not all that convenient to access if you don’t know how. There will be some spammers who shoot out mass threatening emails to those on the lists but they can safely be ignored. Only the unlucky few will draw the attention of a true blackmailer willing to actually research a target’s family and acquaintances. Unfortunately, Ran, you are one of the unlucky ones.


Now that’s blackmail! I’d give this guy his $2,000, and throw in a 15% tip for good writing.

Notice how the writer uses your real name when addressing you. Plus, you’ve received this letter through the postal service, postmarked to your home. This isn’t your standard mass spam email.

The blackmailer’s line of argument is, frankly, quite logical. For an unwitting spouse to actually discover their partner’s name in the Ashley Madison database during those first days they’d first have to be suspicious enough to look, and motivated enough to act. They’d have to have the technical know-how to access the dark web through an anonymous network client, all while having the research skills to find the correct channels, follow them to the source and find your name amidst the masses. If your significant other checks all those boxes, maybe the Ashley Madison leak isn’t your biggest problem.

The letter does seem to exaggerate some. When the writer says “what makes me a threat to you is that I have also spent several days getting to know about you, your family and others in your life,” they include no specific evidence to back that claim up. The writer describes all the steps involved in sending out the letter, having “spent considerable time and money on you,” but such actions are only cost-ineffective if applied to just one person. In all, the evidence suggests that such a letter could have, and probably was, used repeatedly for large numbers of recipients.

Still, this is one of the more honest blackmail letters you’ll ever hear. The writer doesn’t pretend to be the person who hacked the site originally, or a Nigerian prince, or some sort of strongman. Really, any opportunist could’ve used the Ashley Madison affair as a means of blackmail: because the information was relatively obscure yet publicly accessible. If you wanted to, and put your morals aside, you probably could’ve done it yourself and made a little grub. It’s likely, therefore, that multiple, unaffiliated blackmailers were working separately during those weeks following the hack. The original hacker or hackers that leaked the information in the first place were most likely not involved at all.

Steve Ragan, for instance, had his own experience with his own blackmailer. Steve, Senior Staff Writer at CSO Online, spoke to our producer, Nate Nelson.

[Steve Ragan]: Actually I can pull up the emails. I got some of them, which is really funny, considering the fact that I wasn’t in the database. But the –

[Nate]: Interesting. Directed at yourself.

[Steve Ragan]: Yeah, yeah. They came to one of my drop boxes. So I know that they were spamming a bunch of people from a pre-defined list, not necessarily the Ashley Madison list. Let me –

So the email says, “Unfortunately your data was leaked in the recent hacking of Ashley Madison and I know/have your information.” That’s a direct quote. “I have also used your user profile to find your Facebook page. Using this, I can now message all your friends and family members. If you would like to prevent me from sharing this dirt info with all your friends and family members, perhaps even your employers too, then you need to send one bitcoin to the following BTC address.

These were – in fact, it’s pretty clear at least from my standpoint that they didn’t get it from the Ashley Madison dump. I mean maybe they did use some of those addresses. But the one address they sent it to me on, that wasn’t in the Ashley Madison database. So I don’t know where they would have gotten it. But that wasn’t the source. They were just trying to capitalize on the hype behind the incident.

Now fast forward to the end of October and they shifted. They’re no longer trying to extort you based on Ashley Madison. They started sending out death threats. That’s the final round of messages from them. It said, “You do not know who we are. But we have been tracking you and your loved ones for a while now. We know your schedules. We know where you all live and where you spend your time. We also know how to kill anyone of you without being caught. Now don’t panic. This isn’t personal. You did nothing to deserve this. You were just a handful of families unfortunate enough to draw our attention. However, nobody has to die. Allow us to explain.”

They go on to say if you pay them $3000, they will just leave you alone. But those messages too – the – from the sharing services address at AOL, they dried up towards the middle of November. You never saw them again.

Notice how Steve wasn’t even himself a member of Ashley Madison, and yet his email still became part of the trove that got associated with the hack. How does that happen? Well, it turns out Steve is one of many: large numbers of people who hadn’t been Ashley Madison members–including many who didn’t even know what Ashley Madison was–found themselves on lists they couldn’t have imagined themselves included on prior. Why? Because ALM didn’t require emails–or, really, any information you gave them–to be confirmed.

[Nate] [. . .] I imagine that there were plenty of cases in which people found other people in that data dump or perhaps not. Was it easy at all for individuals, say spouses who suspected their spouses to have been on this site, to search that information?

[Steve Ragan] I could take you Nate and register you at the time and your name would have appeared in the Ashley Madison database.

All I had to do was use your name and an email address. I didn’t even have to use your email address, although I could have, and I would have a verified, at least according to their systems, Ashley Madison account that would be registered to you. So somebody could be like, “Oh, hey, Nate is in Ashley Madison. Uh-oh.”

The unverified account information allowed for by Ashley Madison’s login setup definitely led to some awkward and confusing subplots after the data got leaked. For example, former English prime minister Tony Blair’s email got caught up in the data trove. Was he a user? Likely not. However, can you say the same of the 100-plus other U.K. government email addresses registered on the site? might be a fake, but when journalists at The U.K. Register followed up on accounts tied to members of the police force, they found the profile details tied with those email addresses seemed to check out.

In the United States, over 15,000 government and military email addresses were tied to Ashley Madison accounts. That number included over 1,500 Navy addresses, 800 Marines addresses, and almost 7,000 Army addresses. Now, certainly, not all of these emails could have been forged. Some likely were, but the majority checked out, according to reports. The number was so startling to officials in U.S. Defense that an investigation opened into Ashley Madison usage in the United States government and military. The operation went all the way up to no less than the head of the defense sector at the time, Ashton Carter. Using official U.S. email addresses for a site such as Ashley Madison, and adultery itself, are acts subject to prosecution under the Uniform Code of Military Justice, but that’s not what made this case such a big deal. The problem, of course, was that being an Ashley Madison user itself opens people up to blackmail. Blackmail directed towards citizens–such as what I read to you earlier–is nothing compared to blackmail directed at servicemembers with knowledge of state secrets.

But for all the fake addresses, the government addresses and the work addresses, there was one more quality of the data that stuck out from the rest. Both analysts culling the data after the fact, and the Impact Team itself, picked up on it. It was a very obvious pattern, but also a very strange one. I imagine the feelings the researchers had, as they discovered what was going on here, as something like walking into a supermarket, milling about down the aisles, looking around and, slowly, gradually, realizing that half the food in the store is plastic. Something about this data set seemed plastic.

When analysts at Gizmodo looked at the Impact Team’s second data dump, it wasn’t the account information itself that caught their eye–it was a Github repository of ALM’s code that also happened to be included in the leaked files. In the ALM repository there were tables of data, with vague column titles like “bc_email_last_time,” “bc_chat_last_time,” and “email_reply_last_time.” At first, the data seemed to represent how often Ashley Madison users were checking their messages, or chatting on the site–not necessarily such interesting information, but perhaps a way to observe user behavior.

However, also included in those data tables was another column, titled “ishost”. The investigative team cross-referenced that name, “ishost”, with another section of the leaked GitHub code, and what they found was that these tables were actually recording no human activity at all. All the millions of rows of data they were looking over were actually recording every time a human was contacted by a chatbot.

The Gizmodo team had their suspicions about ALM using bots prior to this discovery, but even they couldn’t have predicted how deep this rabbit hole went. A quick count of the data revealed chat bots had reached out to male Ashley Madison users over 11 million times, just since 2010, and over 20 million members received robo-mail. That’s 20 million messages, flirtations, anything to make it appear like Ashley Madison was flush with available ladies. What could be weirder than this? Well, after tallying how many bots there were, the researchers used terms found in leaked company emails–terms such as “engager” and “host”–to search through their Git repositories, looking for programmers’ notes to dig deeper into how the bots worked…

Ashley Madison robots were built sort of like how robots are built in movies–you need a personality chip, then a host body to upload it to. ALM first populated its site with fake female accounts called “Angels”. Angels lay dormant at first, until, like a brain stepping into its new skin, a piece of chatbot software called an “engager” populated the host body. It was important that these two steps didn’t occur at the same time–there’s even a note in the code, and I quote: “randomizing start time so engagers don’t all pop up at the same time”. The purpose is clear: if a bunch of female profiles all rose to life at once, it might arouse suspicion.

Once a bot comes to life, it’ll find its target and send a short, uninvolved message: “hi”, “hey”, or, at best, “what brings you here?” If the user replies to the bot, it’ll come back with a more complex, non-sequitur response. For example, you might write “Hi, how are you today?” The bot might reply: “Hmmmm, when I was younger I used to sleep with my friend’s boyfriends. I guess old habits die hard although I could never sleep with their husbands.” If you’re not caught up to the game by this point (and, studies suggest that horny people aren’t all to attuned to their better senses, so it’s likely you’re not), the bot will move the conversation by encouraging you to spend more money on the site.

The important thing about the engagers, more so than how they worked technically, is to properly picture the scenes of depravity associated with their existence. The lonely programmers, typing out predictive sexy text messages. The men having conversations with lifeless bots, thinking they’re other real humans. Really, when you think about it: should we really be referring to Ashley Madison as an adultery site? If such an overwhelming majority of how ALM operated and made money had to do with building bots, and the majority of user behavior on the site took place in conversation with these chatbots, then how much of the site really amounted to any human-on-human adultery? If you really think about it, it was never in ALM’s interests for anyone to be having affairs with anyone–the moment you hook up with someone you met on Ashley Madison, you become a former user of the site. By building bots that engaged users but didn’t amount to anything in reality–bots who solicited more and more money from account holders, stringing them along to no end–ALM’s interests lay almost entirely in their deployment of bots, rather than real women. Perhaps it wouldn’t be such a stretch to call Ashley Madison not a site for cheating, but a site for pseudo-cheating, robo-cheating, playing to fantasies and nothing more.

To that point: have you stopped to wonder why I’ve only been talking about female bots this whole time? Well, either because the ratio of women on the site was so low, or because the number of messages women on the site received as opposed to their male counterparts was already so high, it seems male-seeking-female bots were nearly forgotten in the priorities of ALM’s programming team. In total, there were over 70,000 female bots populating the annals of Ashley Madison. The number of male bots? 43.

At the end of the Ashley Madison story, one question feels like it stands out from the rest: should we empathize with Ashley Madison users, or not? I mean, it’s very obvious that we should feel bad for the spouses and children of Ashley Madison users. In fact, the more you think about their spouses and children, the easier it becomes to scorn Ashley Madison’s cheaters. How could they do such a thing to their innocent loved ones?!

So, do all these tens of millions of people truly deserve to be burned at the stake? Seriously, what do you think, listeners? I bet if I polled you guys on whether the Ashley Madison hack was a good thing or not, I’d get a pretty mixed set of responses. The public in general was mixed, with many expressing empathy for those exposed and many others calling for the heads of cheaters.

On one hand, when you consider what ratio of female profiles were simply AI masking themselves as real women, Ashley Madison starts to look less like a site for cheaters than, at least for the majority of its customers, something a few steps down from a phone sex service. The Impact Team themselves struggled with how to interpret that information. Does the distinction matter? That’s the other side to consider: we can say that intent is just as bad as action, and that not being able to find someone to have an affair with doesn’t necessarily make the act of trying to have that affair any less wrong.

[Graham Cluley] I think we all do things from time to time, which are morally questionable. I haven’t had a perfect life. You know, chances are most of your listeners have done bad things to a – you know, to a greater or lesser extent. I think we can’t really play judge and jury on this. There are many different reasons why you might be a member of the Ashley Madison website. You might have for instance an open relationship. You might have joined that site long, long ago, 10 years ago when you were single and got married subsequently and – you know, in which case you may well say, look, there’s not really a problem there. You may never have met anyone on the site. You may have joined the site out of pure curiosity.

I’ve also heard from people who joined the site because they suspected – they were contacted by a friend who said, “I believe my partner is maybe cheating on me and maybe on the site. Could you create an account and have a look to see if he’s there?”

I know people who were in the database because they were on the site purely to see if somebody else was there and yet they are tarred with the same brush. So none of us know whether people who are members of the Ashley Madison website ever cheated on their partners or not or even had the intention of cheating on their partners or not.

So I think we’re very quick to judge and we shouldn’t be. There is so much blaming and shaming which goes on the internet. I don’t think we should judge that. I think the people who we should maybe be pointing a finger at and judging are the people who run the website and the people who didn’t secure their systems properly because those are the ones who may be bearing some guilt here.

I have a feeling that the way you feel coming out of the Ashley Madison story has more to do with you, personally, than it does with the story itself. Have you been cheated on before in a romantic relationship? Do you know that pain? Have you done bad things in your life that hurt other people? Can you feel that regret?

The media itself, in some cases, had a moral quandary to work out in reporting the story. Does publishing information on an illegal hack count as informing the public of breaking news, or abetting a crime? Steve Ragan is a journalist who reported on the story firsthand, and had to grapple with these very questions.

[Steve Ragan] No, there’s always responsibility when it comes to reporting a data breach. I mean the public has a right to know when a large public company or a company that is in the wider public – everybody knows who Ashley Madison is. The press has a right and the responsibility to report on a data breach with that company.

But at the same time, I have limits. So like even though I can go through the Ashley Madison database and pick out alleged victims, first of all, there was no verification in the Ashley Madison system.

[. . .]

The most popular person that got caught in that database – and there was a huge news cycle about was a guy named Josh Duggar. He’s a reality TV star and for the list of me, I can’t remember why he’s a reality TV star. But anyway, he’s a reality TV star and his stuff was in the Ashley Madison database twice.

So that drew attention and because he’s a high profile person, I could see why the media cherry-picked him out and focused on that. But that’s not something I would have done.

The story was just too juicy–media outlets worldwide couldn’t avoid the tabloid appeal. But even in reporting the incidents, how much information should be made available, when you know in advance that the story has the potential to ruin lives? And not just in a theoretical sense. When the Impact Team published all their stolen data, it was purposely left in plain sight: all you needed to access it was Tor software–easily downloadable after a quick Google search.

[Ragan] Yes. There were databases that popped up. I don’t have links to any of them now. But there were databases that popped up that would have allowed you to search to see if your spouse was in there.

This meant that any suspicious spouse, child, or otherwise family member or friend with even just a little computer savvy would’ve been able to search the data. Whether exposing cheaters is a good thing: well, listeners, I’ll leave that to you to decide.

At times, during that whole week of the 20th in 2015, it really just seemed as if our conception of ourselves was changing. Were we really a society where tens of millions of men were actively cheating on their wives? Were these bad people or bad circumstances? Is monogamy as a concept, marriage as an institution, simply not working? These are questions yet unanswered, because even as Ashley Madison goes away, those instincts that drove people to seek out such a service will remain with us forever.

The aftermath of the second data dump lived on mostly in the individual homes of families around the world. That said, ten days following that event, Noel Biderman resigned from his post as CEO of ALM. During his public downfall, someone happened to find Noel’s name amidst the Ashley Madison customers list released in the data dump. Evidently, the married man with two children–who once told reporters if he found his wife on his cheating site, quote, “I would be devastated”–had been using his own website to conduct multiple affairs. The news came with about as much surprise as finding out Tim Cook owns an iPhone, dogs drink toilet water and the sky is blue.

As for Ashley Madison itself? They, actually, seem to be doing better now than ever. Is it possible that their media firestorm actually increased the reputation of the company?

[Steve Ragan] It’s thriving.

[Nate] Yeah.

[Steve Ragan] Last I checked – in fact, I will pull it up as I’m talking to you right now. Not only is the website online. It’s revamped, under new ownership and according to some of their press releases right here, the company is growing. So I don’t think there has been a hard lasting impact to Ashley Madison at all. If anything, they’ve not only moved on from it. They’ve grown bigger because of it.

To top things off, on July 14th, 2017, a deal was submitted in U.S. federal courts whereby Ashley Madison would have to refund any customer who’d purchased the website’s “full delete” function. Under the terms of the agreement, former customers could submit a “valid claim form and reasonable documentation” proving their purchase, and then receive their 19 dollars back.

I have a feeling 19 dollars won’t fix what those people lost.

Part 2 credits: