TORONTO (Reuters) - Cheating spouses website AshleyMadison.com, facing hackers’ threats to leak clients’ nude photos and sexual fantasies, said it is heartened by some initial public response that sees the site as a victim.
The website’s Canadian parent, Avid Life Media, confirmed a breach of its systems that has put the real names, credit card information and other details of as many as 37 million customers at risk. Avid Life said it has since secured the sites and closed unauthorized access points.
The dating website company has hired Toronto-based cybersecurity firm Cycura to investigate the breach, first reported by the KrebsonSecurity blog, and is working with police to trace those behind the attack, spokesman Paul Keable said.
AshleyMadison.com, which uses the slogan “Life is short. Have an affair,” has been planning to raise up to $200 million through an initial public offering on the London Stock Exchange.
A group calling itself Impact Team said it had taken over Avid Media systems, including customer databases, source code, financial records and emails, according to a screen grab shown on the KrebsOnSecurity blog.
“Shutting down AM (Ashley Madison) and EM (Established Men) will cost you, but non-compliance will cost you more,” the hackers said. Established Men, widely described as a “sugar daddy site,” is another Avid Media property.
The hackers leaked snippets of the compromised data online and warned that they would release customers’ real names, profiles, nude photos, credit card details and “secret sexual fantasies” unless AshleyMadison and EstablishedMen.com are taken down, Krebs said.
“There’s a very strong narrative that criminal activity, vigilantism, is not the way forward, because who gets to be the judge and jury?” Keable said at Avid Life’s midtown Toronto offices, citing articles in what he called “major media outlets.”
The hackers said that a “paid delete” function will not remove all information about a member’s profile and communications.
Avid Life said that claim is untrue and it would offer the function free of charge following the breach. The dating website owner has about 160 employees, mostly in Toronto but also in Cyprus, Brazil, Japan and elsewhere.
Keable said it was too early to estimate the damage to the company’s business model or IPO plans from the breach.
But one Canadian investment banker, who asked not to be named, said the breach could put those plans at risk.
“There are a lot of risqué websites that are looking to go public, the problem here is that the way Ashley Madison works is it puts customer privacy as tantamount, the fact that you have a hacking scandal at least temporarily puts the kibosh on any IPO plans for them,” the banker said.
In an interview with KrebsOnSecurity, Avid Life Chief Executive Noel Biderman was cited as saying the company suspected someone who had access to internal networks as being behind the breach.
“It was definitely a person here that was not an employee but certainly had touched our technical services,” he said.
Unauthorized posts and images on the website detailing the hacker’s demands have since been removed.
“We apologize for this unprovoked and criminal intrusion into our customers’ information,” Avid Life said.
The breach comes about two months after dating site Adult FriendFinder was compromised. That site has an estimated 64 million members.
(Fixes company name, location in para 3)
Additional reporting by Euan Rocha in Toronto, Allison Lampert in Montreal, Abhiram Nandakumar in Bengaluru; Editing by Bernadette Baum and Christian Plumb