Connect with us

Security

Ashley Madison Hackers Just Leaked 10 GB of Stolen Data

Published

on

The Impact Team released a massive dump of data which is just short of 10 gigabytes. The stolen data was leaked on the Dark Web on Tuesday night (information about the leaked files are given below). The leaked data includes sensitive Ashley Madison customer information, such as payment transaction and credit card details, emails, names, addresses, phone numbers and member profiles.

Although the leaked data did not include full credit card details and billing information, the hack is still a major embarrassment to Avid Life Media Inc., which owns the site, and some 38 million of its users whose private data was exposed.

Impact Team which made the leak has given a brief introduction, perhaps to justify the leak.

We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data… Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters. …

Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver.…

Here is a screenshot of the entire statement :

screen shot

For the uninitiated, hackers who call them Impact Team hacked the online adultery and cheating website Ashley Madison with 37 million members on 19th July 2015. The hackers said that they had hacked the website on moral grounds as they wanted the Ashley Madison owner, Avid Life Media to take the website offline.ashley-madison-bittorrent-dump

The leaked dump contains files with titles including “aminno_member_dump.gz,” “aminno_member_email.dump.gz,” “CreditCardTransactions7z,” and “member_details.dump.gz,” an indication that the download could contain highly personal details (complete leaked file breakup given below.)

Online security analysts and social media users scanning through the leaked database have, for example, already noticed an email address which appears to belong to former UK PM Tony Blair, but since the affair website does not require email address verification some noted that anyone could have used it to set up a fake account.

As soon as the leaks were made public, security firms and cybersecurity analysts are scrambling to determine whether the leaked data is legit. As always there are two sides,  Per Thorsheim, a security analyst confirms that the data is legit.

The Ashley Madison Leaked content

The leak contains the following files :

am_tree

Those compressed files weight ~ 10GB (and about 35GB uncompressed).

README

The readme file contains the following text:

vid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.

Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.

Any data not signed with key 6E50 3F39 BA6A EAAD D81D ECFF 2437 3CD5 74AB AA38 is fake.

74ABAA38.txt

This file contains the GPG public key that can be used to check that all the files were created by the author and *not* modified by some third party. They all seem legit in this case.

CreditCardTransactions.7z

This archive contains *all* the credit card transactions from the past 7 years ! (The first csv file dates back to March 2008). All those csv files contains the names, street address, amount paid and email address of everyone who paid something on AshleyMadison. Those ~2600 files represent more than 9.600.000 transactions !

am_am.dump

Here comes the interesting part. This file contains 32 million user data: first/last names, street address, phone numbers, relationship status, what they are looking for, if they drink, smoke, their security question, date of birth, nickname, etc…

ashleymadisondump.7z

This archive mostly contains administrative documents about AM internals some of them were published a few days after the breach was announced.

aminno_member.dump

This dump also contains some personal data.

aminno_member_email.dump

About 36 million email addresses.

member_details.dump

Physical description: eyes color, weight, height, hair color, body type, “ethnicity”, caption…

member_login.dump

This database dump contains more than 30 million usernames + hashed passwords.

The Royal Canadian Mounted Police and Ontario Provincial Police along with the FBI are investigating the hack, the company said, admitting the bureau’s involvement for the first time.

Some websites are reporting that the hackers may have released all the data they have stolen from Ashley Madison. However, we are the opinion that the intimate images shared by the cheating couples are still in their hands. The above leaked information may harm the Ashley Madison members financially but the #Fappening pictures, which we presume are still in the custody of Impact Team, may cause them personal and domestic harm.

If you want to know if you have been compromised by the Ashley Madison breach, Troy Hunt has offered to notify you. However it will only be accessible to those who subscribed to (free) notifications, visit here.

#Update : This thread made by the Impact Team on Reddit seems to contain links to the leaked data however the links appear dead as of now.

Credit : TechWorm

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

Capital One begins journey as a software vendor with the release of Critical Stack Beta

Published

on


If every company is truly a software company, Capital One is out to the prove it. It was one of the early users of Critical Stack, a tool designed to help build security into the container orchestration process. In fact, it liked it so much it bought the company in 2016, and today it’s releasing Critical Stack in Beta.

This is a critical step toward becoming a commercial product, giving the bank its first entree into software selling.

Capital One is embracing modern applications delivery methods like containerization, and it needed a tool specifically tuned to the security requirements of a financial services company. That’s what Critical Stack purports to give it, and they liked it so much, they thought others who required a similar level of security would too.

Critical Stack is compatible with Kubernetes, the popular container orchestration tool, but it’s been designed to provide a higher level of security than the base product, while giving large institutions like banks a packaged approach to container orchestration.

“One of the many strengths of Kubernetes is its rapid development cycle. You understand how challenging that can be to keep up with that moving target. We have an orchestration layer that has an abstraction away from that. Critical Stack is a stand-alone tool within the ecosystem of tools compatible with Kubernetes,” Liam Randall, Capital One’s senior director of software engineering and Critical Stack co-founder told TechCrunch.

Critical Stack does everything you would expect a Kubernetes distribution to do including managing the container delivery and lifecycle management, but it’s specifically designed to allow operations to automate security and compliance policies around the containers, something banks and other highly regulated businesses need to do.

The company also concentrated on putting that kind of functionality in an interface that’s easy to use.

Photo: Critical Stack

While the company isn’t open sourcing this tool, they believe by selling it, they can get a similar set of benefits. “When you think about a lot of the great platforms, the best lessons learned come from working with other partners,” Randall said. While he and his team found a broad set of use cases internally, they felt that getting the product into the hands of others would only help enhance it — and it doesn’t hurt they could make some money doing it.
Featured Image: Smith Collection/Gado/Getty Images Readmore

Continue Reading

Europe

Germany bans kids’ smartwatches that can be used for eavesdropping

Published

on


A German regulator has banned domestic sales of children’s smartwatches that have a listening function — warning that parents have been using the devices to secretly eavesdrop on teachers at their kids’ school.

In an announcement on Friday, the Federal Network Agency telecoms watchdog said it had already taken action against some online sellers. The target group for the smartwatches are children between the ages of 5 and 12 years.

“Via an app, parents can use such children’s watches to listen unnoticed to the child’s environment and they are to be regarded as an unauthorized transmitting system,” said Jochen Homann, president of the Federal Network Agency in a statement. “According to our research, parents’ watches are also used to listen to teachers in the classroom.”

Back in February, the same federal agency banned sales of an Internet connected doll — called My Friend Cayla — in the country where it’s illegal to manufacture, sell or possess surveillance devices disguised as another object.

On Friday the agency warned there are a large number of providers in the German market that are offering smartwatches for children which contain a listening function, often referred to as a “baby monitor” or “monitor function” in the companion app.

The app owner is able to silently call the device via such functions and listen unnoticed to the conversations of the watch wearer and others in their vicinity — an act of covert surveillance that is illegal in Germany.

The agency has instructed parents to destroy any devices they have bought, and asked schools to be on the look out for smartwatches being used by children — and to request destruction of listening devices they identify.

The Federal Network Agency is not the only European body concerned about risks posed by children’s connected toys, nor specifically by kids smartwatches. Last month the Norwegian Consumer Council put out a report about children’s smartwatches, raising concerns about security flaws, privacy concerns, and risks posed by what they described as unreliable features.

While this month a UK consumer rights group also raised concerns about poorly secured IoT toys which it said could enable strangers to talk to children. The group also called for devices with known security flaws to be banned from sale.

The latest ban may increase pressure for the European Commission to consider whether European Union-wide regulation is needed for Internet connected toys. Back in February, the commissioner for justice, consumers and gender equality, expressed concern, telling the BBC: “I’m worried about the impact of connected dolls on children’s privacy and safety.”
Readmore

Continue Reading

Europe

Call to ban sale of IoT toys with proven security flaws

Published

on


Ahead of 2017’s present buying season, UK consumer rights group Which? has warned parents about the risks of giving connected toys to their children, and called for devices with known security and/or privacy risks to be banned from sale on kids safety grounds.

Working with security researchers the group has spent the past 12 months investigating several popular Bluetooth or wi-fi toys that are on sale at major retailers, and says it found “concerning vulnerabilities” in several devices that could “enable anyone to effectively talk to a child through their toy”.

It’s published specific findings on four of the toys it looked at: Namely the Furby Connect; I-Que Intelligent Robot; Toy-fi Teddy; and CloudPets cuddly toy.

The latter toy drew major criticism from security experts in February when it was discovered that its maker had stored thousands of unencrypted voice recordings of kids and parents using the toy in a publicly accessible online database — with no authentication required to access the data. (Data was subsequently deleted and ransomed.)

Which? says in all cases it was found to be far too easy for someone to illicitly pair their own device to the toys and use the tech to talk to a child. It especially highlights Bluetooth connections not having been properly secured — noting for example there was no requirement for a user to enter a password, PIN code or any other authentication to gain access.

“That person would need hardly any technical know-how to ‘hack’ your child’s toy,” it writes. “Bluetooth has a range limit, usually 10 meters, so the immediate concern would be someone with malicious intentions nearby. However, there are methods for extending Bluetooth range, and it’s possible someone could set up a mobile system in a vehicle to trawl the streets hunting for unsecured toys.”

In the case of the Furby, Which?’s external security researchers also thought it would be possible for someone to re-engineer its firmware to turn the toy into a listening device due to a vulnerability they found in the toy’s design (which it’s not publicly disclosing).

Although they were not themselves able to do this during the time they had for the investigation.

Which? describes its findings as “the tip of a very worrying iceberg” — also flagging other concerns raised over kids’ IoT devices from several European regulatory bodies.

Last month, for example, the Norwegian Consumer Council warned over similar security and privacy concerns pertaining to kids’ smartwatches.

This summer the FBI also issued a consumer notice warning that IoT toys “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed”.

“You wouldn’t let a young child play with a smartphone unsupervised and our investigation shows parents need to apply the same level of caution if considering giving a child a connected toy,” said Alex Neill, Which? MD of home products and services in a statement.

“While there is no denying the huge benefits these devices can bring to our daily lives, safety and security should be the absolute priority. If that can’t be guaranteed, then the products should not be sold.”
Readmore

Continue Reading

Subscribe to our Newsletter

Trending