Connect with us

Security

Ashley Madison Hackers Just Leaked 10 GB of Stolen Data

The Impact Team released a massive dump of data which is just short of 10 gigabytes. The stolen data was leaked on the Dark Web on Tuesday night (information about the leaked files are given below). The leaked data includes sensitive Ashley Madison customer information, such as payment transaction and credit card details, emails, names, addresses, phone numbers and member profiles.

Although the leaked data did not include full credit card details and billing information, the hack is still a major embarrassment to Avid Life Media Inc., which owns the site, and some 38 million of its users whose private data was exposed.

Impact Team which made the leak has given a brief introduction, perhaps to justify the leak.

We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data… Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters. …

Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver.…

Here is a screenshot of the entire statement :

screen shot

For the uninitiated, hackers who call them Impact Team hacked the online adultery and cheating website Ashley Madison with 37 million members on 19th July 2015. The hackers said that they had hacked the website on moral grounds as they wanted the Ashley Madison owner, Avid Life Media to take the website offline.ashley-madison-bittorrent-dump

The leaked dump contains files with titles including “aminno_member_dump.gz,” “aminno_member_email.dump.gz,” “CreditCardTransactions7z,” and “member_details.dump.gz,” an indication that the download could contain highly personal details (complete leaked file breakup given below.)

Online security analysts and social media users scanning through the leaked database have, for example, already noticed an email address which appears to belong to former UK PM Tony Blair, but since the affair website does not require email address verification some noted that anyone could have used it to set up a fake account.

As soon as the leaks were made public, security firms and cybersecurity analysts are scrambling to determine whether the leaked data is legit. As always there are two sides,  Per Thorsheim, a security analyst confirms that the data is legit.

The Ashley Madison Leaked content

The leak contains the following files :

am_tree

Those compressed files weight ~ 10GB (and about 35GB uncompressed).

README

The readme file contains the following text:

vid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.

Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.

Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.

Any data not signed with key 6E50 3F39 BA6A EAAD D81D ECFF 2437 3CD5 74AB AA38 is fake.

74ABAA38.txt

This file contains the GPG public key that can be used to check that all the files were created by the author and *not* modified by some third party. They all seem legit in this case.

CreditCardTransactions.7z

This archive contains *all* the credit card transactions from the past 7 years ! (The first csv file dates back to March 2008). All those csv files contains the names, street address, amount paid and email address of everyone who paid something on AshleyMadison. Those ~2600 files represent more than 9.600.000 transactions !

am_am.dump

Here comes the interesting part. This file contains 32 million user data: first/last names, street address, phone numbers, relationship status, what they are looking for, if they drink, smoke, their security question, date of birth, nickname, etc…

ashleymadisondump.7z

This archive mostly contains administrative documents about AM internals some of them were published a few days after the breach was announced.

aminno_member.dump

This dump also contains some personal data.

aminno_member_email.dump

About 36 million email addresses.

member_details.dump

Physical description: eyes color, weight, height, hair color, body type, “ethnicity”, caption…

member_login.dump

This database dump contains more than 30 million usernames + hashed passwords.

The Royal Canadian Mounted Police and Ontario Provincial Police along with the FBI are investigating the hack, the company said, admitting the bureau’s involvement for the first time.

Some websites are reporting that the hackers may have released all the data they have stolen from Ashley Madison. However, we are the opinion that the intimate images shared by the cheating couples are still in their hands. The above leaked information may harm the Ashley Madison members financially but the #Fappening pictures, which we presume are still in the custody of Impact Team, may cause them personal and domestic harm.

If you want to know if you have been compromised by the Ashley Madison breach, Troy Hunt has offered to notify you. However it will only be accessible to those who subscribed to (free) notifications, visit here.

#Update : This thread made by the Impact Team on Reddit seems to contain links to the leaked data however the links appear dead as of now.

Credit : TechWorm

Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

Oracle grabs Zenedge as it continues to beef up its cloud security play


Oracle announced yesterday that it intends to acquire Zenedge, a 4-year old hybrid security startup. They didn’t reveal a purchase price.

With Zenedge, Oracle gets a security service to add it to its growing cloud play. In this case, the company has products to protect customers whether in the cloud, on-prem or across hybrid environments.

The company offers a range of services from web application firewalls to distributed denial of service (DDoS) attack mitigation, bot management, API management and malware prevention. In addition, they operate a Security Operations Center (SOC) to help customers monitor their infrastructure against attack. Their software and the SOC help keep watch on over 800,000 websites and networks across the world, according to information supplied by Oracle.

Oracle says it will continue to build out Zenedge’s product offerings. “Oracle plans to continue investing in Zenedge and Oracle’s cloud infrastructure services. We expect this will include more functionality and capabilities at a quicker pace,” Oracle wrote in an FAQ on the deal (.pdf) published on their website.

Oracle’s recent acquisition history. Source: Crunchbase

Just this week Oracle announced that it was expanding its automation capabilities on its Platform as a Service offerings from databases to a range of areas including security. Ray Wang, founder and principal analyst at Constellation Research says the company is a good match as it also uses automation and artificial intelligence in its solution.

“Oracle is beefing up its security offerings in the cloud. They have one of the strongest cyber security platforms,” Wang told TechCrunch. “They also have a ton of automation that fits Oracle’s theme of autonomous,” he added.

Oracle is far behind cloud rivals as it came late to the game. Just this week, the company announced plans to build a dozen data centers around the world over the next two years. They are combining an aggressive acquisition strategy and rapid data center expansion in an effort to catch up with competitors like AWS, Microsoft and Google.

Zenedge launched in 2014 and has raised $13.7 million, a modest amount for a cloud-based security service. Oracle says customers and partners can continue to deal with Zenedge using their existing contacts.
Featured Image: Justin Sullivan/Getty Images Readmore

Continue Reading

Business

Stealth Security reels in $8 million investment from Shasta Ventures to root out bad bots


We live in world where bots are operating all over the internet. Like Glenda in the Wizard of Oz asking Dorothy if she is a good witch or a bad witch, network admins simply want to determine if a bot is there to help or harm. It’s not always easy to know. That’s where Stealth Security comes in.

The 4-year old startup wants to help you defend against automated bot attacks. Today, the company announced an $8 million Series A investment, funded by Shasta Ventures. Today’s round brings the total raised to $12.5 million, according to Crunchbase.

The company’s founding team came from PayPal, Cisco and Symantec, where they saw a problem for companies eradicating bots with off-the-shelf products. They decided to start a company to solve it. “We have an extensive background in network security, and we applied this and machine learning to solve this problem of handling bots,” company co-founder and CEO Ameya Talwalkar told TechCrunch.

They are trying to stop a number of different kinds of attacks with their product such as credential stuffing where a hacker sends out bots with stolen credentials to a website and tries to find a way in by entering stolen usernames and passwords in quick succession until one works. But Talwalkar says customers are also seeing bots performing legitimate transactions and Stealth’s solution can distinguish the good bots from the bad ones.

CTO and co-founder Shreyans Mehta says they look at intent and the way the customer has configured the product, then count on machine learning to help determine which bots can come in and which ones to block. Companies could choose to block all bots or all except a certain type or any combination they wish.

The company currently has a half a dozen large enterprise customers. Talwalkar says they are targeting the high end of the market with this product and early customers include some of the largest financial services companies in the world. They currently have 15 employees, but are aiming to beef up sales and marketing along with some sales engineers and customer champion type of roles and begin to build on that in the next year, he said.
Featured Image: Mmdi/Getty Images Readmore

Continue Reading

Apps

Mixpanel analytics accidentally slurped up passwords


The passwords of some people using sites monitored by popular analytics provider Mixpanel were mistakenly pulled into its software. Until TechCrunch’s inquiry, Mixpanel had made no public announcement about the embarassing error beyond quietly emailing clients about the problem. Yet some need to update to a fixed Mixpanel SDK to prevent an ongoing privacy breach.

It’s unclear which clients were impacted due to confidentiality agreements, but Mixpanel lists Samsung, BMW, Intuit, US Bank, and Fitbit as some of the companies it works with. “We can tell you that less than 25% of our customers were impacted” the company’s spokesperson told me, but they noted approximately 4% of all Mixpanel projected suffered from the privacy gap.

Mixpanel has raised $77 million in rounds led by prestigious investors like Andreessen Horowitz and Sequoia. But in early 2016 it laid off 10% of its 230-plus team, and has been dogged by a reputation for being expensive. Today’s news won’t help.

mixpanel in app notifications

The password harvesting bug stemmed from a March 2017 change to the open source React JavaScript library that clashed with how Mixpanel’s Autotrack feature launched in 2016 works. It led Autotrack to pull in the values of hidden and password fields in ways it wasn’t supposed to. “We didn’t catch it, it’s that simple” Mixpanel CEO Suhail Doshi tells me.

The problem persisted for nine months until a customer alerted Mixpanel on January 5th. By the 9th, the company had begun filtering out and securing passwords it accidentally scooped up, and it’s since destroyed any passwords it received. On February 1st, Mixpanel sent the email found at the end of this article to its clients informing them of the issue.

Clients that auto-update their Mixpanel SDK or load it straight from the startup have already gotten a patch to fix the issue. But some clients that manually update their Mixpanel SDK still need to download a new version to stop the flow of passwords. “Roughly 85% of affected customers have already updated their SDK to address this issue. We are actively working to contact remaining customers who have not yet updated their SDK” according to the spokesperson.

In the meantime, “We’ve disabled Autotrack by default for all new projects created. We’ll be further evaluating Autotrack as a product in the future” the spokesperson says, showing a mature level of contrition.

mixpanel team

Mixpanel’s team, circa 2014

“To date, our forensics and security experts have not seen any indication that this data was downloaded or accessed by any Mixpanel employee or third party” the company wrote in the email. That’s a relief, since there’s no way for an individual user of one of Mixpanel’s clients to know if their password got sucked in. Still, the possibility that end users’ privacy could have been breached is surely alarming to Mixpanel customers who trust it to watch how their sites and apps are used to optimize performance and monetization. The error could be a windfall for competitors like Google Analytics, KISSmetrics, Splunk, Flurry, and Localytics.

Increasing reliance on open source frameworks like React means engineering and security teams can’t just worry about their company’s own code. It has to mingle with changes to open source projects that can cause unforeseen trouble. It’s like if the ingredients in one of your prescriptions drugs subtly changed, so your preferred over-the-counter pills suddenly caused a dangerous interaction.

The full email from Mixpanel is below:

EMAIL SENT TO CUSTOMERS ON FEBRUARY 1, 2018:

We are writing you today about a recently discovered data ingestion issue on the Mixpanel platform that affects your project(s) and requires that you update your SDK as soon as possible (unless your SDK is set to automatically update). Before we go into detail on what happened and how we’ve addressed the issue, we want to apologize for any difficulty this may cause your organization. Our team is committed to remedying this situation quickly, and we’re available to talk through any questions or concerns—just reply to this email, and we’ll be in touch.

What happened?

On January 5th, 2018, a customer informed us that they observed Autotrack sending the values of password fields in events. We confirmed that this was unexpected behavior; by design, Autotrack should not send the values of hidden and password form fields.

We immediately began investigating further and learned that the behavior the customer was observing was due to a change to the React JavaScript library made in March 2017. This change placed copies of the values of hidden and password fields into the input elements’ attributes, which Autotrack then inadvertently received. Upon investigating further, we realized that, because of the way we had implemented Autotrack when it launched in August 2016, this could happen in other scenarios where browser plugins (such as the 1Password password manager) and website frameworks place sensitive data into form element attributes.

To date, our forensics and security experts have not seen any indication that this data was downloaded or accessed by any Mixpanel employee or third party. It was a bug, plain and simple. Upon discovery, we took immediate steps to secure the data and shut down further receipt. As of today, all data that was inadvertently received has been destroyed. In order to be as transparent as possible, here is more detail on how we have addressed and will continue to address this issue.

How we’re addressing this issue

Since discovery, we have been actively working to resolve the issue for affected customers. The majority of projects were not impacted, but based on our findings, we believe that you may have project(s) that were impacted, which we list at the end of this email.

We took immediate steps when we discovered this data ingestion issue in the form of the following:

  1. Limit further receipt of data: On January 9th, we implemented a server-side filter to securely discard this data as soon as we receive it, and soon thereafter refined the filter to solve for the last remaining edge cases.

  2. Delete the inadvertently received data: We have cleared all data from our database that we inadvertently received and, upon request, we can provide you with fine-grained metadata about what data was inadvertently sent to Mixpanel servers. This will include a mapping of distinct IDs to property names (but not the data values themselves, which have been securely deleted using appropriate security measures).

  3. Fix the Autotrack bug: We have implemented the Autotrack functionality fix in the Mixpanel SDK. You will, however, need to update your SDK as soon as possible to reflect this change. If your SDK is set to automatically update, or if your website loads the SDK directly from our content servers, then no action is required.

  4. Review any access of this data: We do not believe this data was downloaded or accessed by any Mixpanel employee or third party.  To the extent we discover otherwise, we will immediately notify you.

In addition to fixing the root cause of this issue, we’re taking proactive steps to identify and prevent similar issues from occurring in the future:

  1. Incorporating formal privacy reviews as part of our design and development processes: Security and privacy have always been front of mind at Mixpanel, but we’re adding some additional explicit checkpoints in our product development processes to help ensure that we’ve considered all of the impacts of the changes we make.

  2. In-depth security/privacy audits of key existing product areas: We’ve learned a lot from this issue, and our team has been diving in to look for similar cases where these same kinds of problems could arise.

  3. Operationalizing our response tooling: We’ve built new tools in response to this issue to help us identify the scope of data collection, limit access to data, and to purge it from our systems quickly. We’re taking these tools and making them more general purpose so that we can respond more quickly in the unlikely event that a similar problem occurs in the future.

  4. Data filtering and detection: We’re exploring capabilities that can detect something like this sooner including changes to the SDK to give us more insight into what data is being sent to us, integration with Data Loss Prevention (DLP) solutions, and even using our machine learning capabilities to detect anomalous ingestion.

We are conducting a thorough investigation of what happened and how we handled it. We believe that we have addressed the ingestion issue with the speed and accuracy required as your trusted partner. Below the signature, we have also listed your Project ID(s) and Project Name(s) that were affected.

If you have questions or for more information, please reply to this email for a response from your account team. Otherwise, as mentioned before, please update your SDK as soon as possible.

Sincerely,

The Mixpanel Security team

Featured Image: Bryce Durbin/TechCrunch Readmore

Continue Reading

Member of The Internet Defense League

Subscribe to our Newsletter

Trending