The Ashley Madison hack – further thoughts on its aftermath

Per thorsheim
Per Thorsheim
@

Ashley MadisonThis weekend, I warned of the serious danger of jumping to the wrong conclusions if the Ashley Madison user database ever becomes public, and how – because the site doesn’t properly authenticate email addresses – any such data doesn’t prove anything.

I was shocked when Graham told me that my article had been picked up by British newspaper Daily Mirror.

But there have been other developments…

A call from an Ashley Madison user
I woke up sunday morning, and received an SMS in Norwegian, shortly after breakfast. Here is my simple translation:

“Dear Per Thorsheim! Thank you for your post at grahamcluley.com. I am one of those affected by the things you wrote about, and I feel bad. We need more like you out there to adjust the perspective.”

Since then, I have exchanged many messages with this gentleman, and we have even spoken on the phone.

I don’t know his name, but he is in his fifties, has kids and is married. Not long ago, during a hard period in his life, he created an account on the Ashley Madison site.

He says he looked around, and engaged in a little “dirty chat” with some women.

Sign up to our free newsletter.
Security news, advice, and tips.

But he never met anyone. He says some people drink or finds other ways to vent their frustrations in life. To him flirting on the Ashley Madison website became a short escape from reality.

He regretted his actions, he told his wife, he was forgiven and life and marriage goes on.

But now he is afraid of the leaked data eventually being released publicly, because his kids, neighbours, colleagues and others may not understand his situation at all.

Stories of suicide
I came across an American news website that published a fake story about a man committing suicide in the aftermath of the Ashley Madison security breach. They even quoted the alleged suicide note which claimed the man’s death was a direct consequence of the hack.

Bogus news report of Ashley Madison-related suicide
Bogus news report of Ashley Madison-related suicide

Why a website, purporting to contain legitimate news, would run a fake story about a man committing suicide after the Ashley Madison breach is beyond my understanding.

What I do know though, is that the press here in my home country of Norway are very careful around use of the word “suicide”. There is a danger that if we talk about such personal tragedies in such detail in the press, that others may follow.

What the howling wolves doesn’t seem to understand is what they are doing is online bullying. The kind of bullying that clearly can cause such personal tragedies.

“If they are cheating, they deserve it” the wolves reply.

While I totally disagree with that argument, let me add that their kids do not deserve to lose a parent. Their family doesn’t deserve to lose a loved one. And that also applies to friends, colleagues, neighbors and others.

If you are found to have bullied somebody into suicide however… I believe you deserve jailtime for that.

Was Ashley Madison extorting money from users?
Many articles – including the one that The Intercept published – have mentioned that Ashley Madison demands money to have accounts deleted, and have described the practice as “extortion”.

Full delete dialog

(I’m pleased to hear that Ashley Madison is now allowing users to delete their accounts for free).

I have my own experiences of what some may consider extortion.

For instance, once, at a nightclub in Berlin, I was given a small card at the entrance. The waiters would cut small marks into the card when I ordered beer and drinks, and when I left the club they counted the marks and gave me the bill.

What would happen if I lost the card? I would have to pay the maximum price before I was allowed to leave. I remember considering that as “a funny way to commit extortion”.

Another time, I acquired a free SSL certificate from one of the many certificate authorities out there. Did I read the EULA for that? Of course not! Silly me…

Because if I had I would have seen that I ever wanted or needed to revoke the certificate because my site and certificate became compromised, I would have to pay money to have it revoked. I wonder if The Intercept would consider that extortion as well?

The definition of extortion as far as I can see says that it is a criminal offence. Yet the three examples given above are all still legal as far as I know.

So don’t beat Ashley Madison up for asking for money to have accounts deleted – you may not approve of that business practice, but users should really have read the EULA when they created their accounts in the first place.

What Ashley Madison did wrong was to to make it way too easy for people to create fake accounts using other peoples names, pictures and email addresses.

Raise your hand if you always read the EULA before signing up for a service or product, and I’ll gift-wrap and send you a stone, so that you can throw the first one.

Further reading:


Per Thorsheim is an independent security adviser based in Bergen, Norway. He told the world about the Linkedin breach in June 2012. As well as running his blog, he is the founder and main organizer of Passwordscon, a conference devoted to passwords, which has been his main interest for 13+ years. He is also proud to be certified CISA, CISM and CISSP-ISSAP.

15 comments on “The Ashley Madison hack – further thoughts on its aftermath”

  1. Alan

    "Why a website, purporting to contain legitimate news, would run a fake story?"

    Other headlines from the same site:
    "Pope Suggests Mandatory Sterilization Of Unwed Mothers Could Prevent Climate Change"
    "BREAKING: Yellowstone Evacuated Amid Fears Of Super Volcano Eruption"

    Somewhere far beyond satire.

    1. Feeniss · in reply to Alan

      "Pope Suggests Mandatory Sterilization Of Unwed Mothers Could Prevent Climate Change"

      Well…that's about as likely to prevent climate change as anything else the politicians are doing.

      Anyhow, the point about Olympian moralizing is well taken…and especially the point about reading EULAs. I used to read them all, and I still read most of them, but I admit that occasionally I skip them. It depends on the nature of the site. A forum for repair of vintage audio equipment is not a big risk, especially considering the fact that they only get an email address…and that's disposable.

      Of course, the first line of defense is to never create an account at a place like Ashley Madison…or to delete it pronto.

  2. Glen

    Every single one of them was just chatting a little or made an account to see if their spouse is on there or some such rubbish. All of those 29million have vast arsenals of perfectly innocent excuses for being a member and of course all of their marriages are stronger for it.They lie to their spouses, children, family, parents, friends, acquaintances and their mistresses. But they'd never lie to a comically gullible online journalist about their Ashley Madison membership.

    1. stupid · in reply to Glen

      i am in deed one of the stupid ones. i never met anyone online and discovered they where pretty much all prostitutes..at least the ones contacting me. am managed to weedle a good deal of free cash from me and then took more when i asked them to close it out oblivious to the fact there was a balance.
      no matter/
      my wife is in hospital with a life threatening condition. i cannot bring this to her and will not. i did see the article about the fellow who 'committed' suicide. i am absolutely beyond despair here and i cannot get suicide out of my mind. i am dying in pieces and i caant really keep going.

      1. Argus · in reply to stupid

        Well you really should have decided to keep your appendages in your underpants.

  3. Whadaham InNY

    I have a better idea, Graham; Tell your cheating readers to grow a spine. I myself was trapped in a verbally abusive relationship, thought he was "the best I could settle for"after 9 long years. One day he dumped me. Just before Thanksgiving. I was angry, I was hurt…and then I pulled my head out of my rear end and decided to start my life over elsewhere. For crying out loud, tell your spouse or partner NOW. Spending money on hookers or sluts on the internet won't fix your relationship, it won't bring you inner peace- and don't even try to pretend it will "stay a secret": Karma has a way of catching up, eventually. Not worth it.

    1. Coyote · in reply to Whadaham InNY

      Your point is certainly valid. But it wasn't Graham who wrote this and the point was something else entirely. It is true, people do make mistakes, and while certainly using such a site is a very big mistake, one would hope they clean up their act. But will they? Who knows. Eventually they will be a victim or otherwise caught, but that is irrelevant: I am afraid that this website isn't about relationships. That means, 'those cheating readers' don't exist here as such.

      1. Whadaham InNY · in reply to Coyote

        There's more, actually- latest story out on Inquistr: is that spammers have gotten hold of not only the Ashley Madison email lists, but other sites like 'Married Hall Pass" and ViP Dating services.
        That means that they also got their credit card info, home addresses and telephone numbers!!!
        Just a heads up.

        1. Coyote · in reply to Whadaham InNY

          Yes, I saw that. But that is only expected, and they are only one of many other examples in the past (and more will follow, that much is for sure).

          But still, my point was that your point – while understood – isn't relevant here. I don't mean that in a dismissive tone so much as there was more to this post by Per. To that end, I'll point out that I agree with you. Also, those who cheat are those who will ultimately be cheated on because they set the precedent of interacting with those type of people (after all, it takes more than one to do so). But try telling that to those involved; it is something you can't reason with. They don't see the logic behind it even though it is basic.

  4. Valerie McGilvrey

    I personally believe a majority of users who had something to hide, actually hid it quite well. Email addresses, prepaid credit cards which don't require registration and some free VoIP phone numbers certainly go a long way in cyber land and as for cyber tracking those user account lists; I've searched my own personal fake accounts to see where the data may be found and thus far I'm absolutely no where.

    I haven't hopped over to chillingeffects.org quite yet but will because I've read some takedown requests were posted for the data which was actually released. I'm praying for a mirrored site perhaps that has the data. But then again it's probably a scam for publicity.

    1. Don T Judge · in reply to Valerie McGilvrey

      From what I've heard, the females on that site have little to worry about. I mean as a male you needed a credit card to initiate contact, reply etc…. but the females didn't.

      But I would also be Leary of putting your email address in one of those so called checkers, I believe its another way to confirm and or collect info. IN my case I used a fake email that's tied to another fake email, but relied on Am being secure credit card wise. That's the hard lesson learned.

  5. Sg125

    Ok mail me the stone, but I want a nice one, from Norway.
    Don't send me an American stone, I want a real Norwegian stone.
    I don't plan on throwing it, I just like free things, and I want some reward for actually reading all those damn EULA's!

  6. OHCANADA

    Yes I was on the website. No I was not there to look around. I was there hoping for FWB to be honest. Nothing happened. 90% were either fake profiles or prostitutes. I am actually happily married and love my wife very much. I have now got the blackmail email too demanding payment. I do not care. I will not pay ever. Any time any hacker or blackmailer wants to actually meet me tell me when and where and I will be there.

    People will say oh you were on the website and you deserve it. To those who say that GO F**K YOURSELVES! How's that sound? Never committed a wrong? Walking around in judgement of others waving your bible about? GO F**K YOURSELVES! People deserve to die because they were on the Ashley Madison website? How asinine… To the hackers and blackmailers you are as cowardly as ISIS. Come out of hiding and face me like a real man instead of a coward oh and GO F**K YOURSELVES!

    1. Don T Judge · in reply to OHCANADA

      Well said….it's amazing how people appoint themselves judge jury and executioner.

      To those who have opinions of how I should conduct my life or my marriage? It's none of your self righteous business, so take your opinion and judgement and go to hell.

      1) Do I regret being on that site?
      I regret the reason I was there.
      2) Have I learned my lesson?
      I've learned a lot of things, mostly that the grass isn't any greener
      and that my marriage is what I put into it or not. I've also learned that there are
      a lot more people out there in the same situation ( not the leak but marriage wise)
      I am in. This goes for both men and women btw.
      3) Will I confess to my spouse?
      Perhaps, but I still am on the fence about this one. I did not actually do anything
      so what would I be confessing?
      4) Will I pay the blackmailers?
      Absolutely not! I wont respond to them either. But I am hopeful that out of the hundreds of thousands they are trying to extort money from that someone catches them. What I did was not a crime, but what these jerks are doing is.

  7. Basil

    Hi there, my name is Basil, I'm a journalist with Vice Media. I'm working on a documentary about the Ashley Madison hack. If anyone is interested in speaking to me about how it has affected you, 100% confidentially, please send me an email at [email protected]

    Any communications between us will be completely off the record.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.