Reported by KrebsonSecurity.com, ALM has confirmed the hack took place, and around 40MB of data from the breach has already been published online by The Impact Team to prove key information in its possession.
The Impact Team is threatening to release all the data — according to its demands, this includes client records, credit card transaction data, real names and addresses, profiles with nude pictures, and company information such as documents and emails — unless AshleyMadison.com and EstablishedMen.com are taken “offline permanently in all forms.”
While it could be assumed the hacker has a problem with the two sites and the services they provide, it seems the main issue is with a feature of the AshleyMadison.com site called Full Delete, which is supposed to completely remove a profile and personal details from the company’s site and servers — for a fee of $19. The Impact Team’s message called Full Delete a “complete lie,” and said transaction data wasn’t deleted, and this includes names and addresses.
The demands include hints the hacker may be very familiar with the company, and the ransom note singles out ALM’s director of security for an apology, and quotes its chief technology officer. According to KrebsonSecurity’s report, ALM said it’s close to identifying the hacker — it indicates it’s a single person, rather than a collective — and says the person may have been a one-time employee or contractor. In a statement released afterwards, ALM stated it has secured its sites, and is working with law enforcement to find the culprit.
There’s no timeframe attached to the demands, which means the data could be released at anytime.
