The fallout from July’s massive Ashley Madison hack drags on, with some of those caught up in the incident now receiving letters in the mail threatening to tell friends and family about their use of the site unless they hand over cash.
One recipient of the letter was ordered to pay just over $4,000 or face the consequences, according to prominent security expert Graham Cluley.
Cluley said in a blog post that although “Internet low-lives” have been sending out a steady stream of blackmail emails since the summer, it’s now apparent that “blackmailers are also prepared to take things a step further and write letters to the homes of hacked users.” He described the criminals’ change in strategy as “an unpleasant turn” of events.
The high-profile hack saw the personal details of 33 million people stolen from Ashley Madison, an adultery website that runs with the tagline, “Life is short, have an affair.”
The security specialist revealed a letter sent to him recently by one of the blackmailers’ targets. The recipient told Cluley they’d just received “a physical postal letter” to their home address demanding money, and asked the expert for advice.
Cluley said that although it must have been distressing to receive the letter, he was “strongly of the opinion that – in the majority of cases – blackmailers are trying their luck, hoping that a small percentage of those targeted will pay up.”
He suggests that recipients sit tight as “paying the blackmailers any money is only likely to make them focus on you more. Ignoring them is probably a better plan.” He added that anyone who receives such a letter should seriously consider informing the police.
Cluley told the BBC he’s been contacted numerous times by Ashley Madison users who’ve received threats via email, but switching to physical mail meant the action had been “stepped up a gear.”
He added that in his opinion it was unlikely the original hackers were involved in the blackmail efforts, suggesting it’s probably the work of others who got hold of the personal data after it was posted on the Web in August, a month after the hack took place.