It then ramped up its vendetta against the site in a second data dump Friday, which included emails sent out by the company’s founder while mocking him in a message: “Hey Noel, you can admit it’s real now.”
The group posted a manifesto online last month, which said they have taken over Avid Life Media’s “entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases …”
The group does not express affiliation with either the hacker collective known as Anonymous or another one known as Lizard Squad.
The company suspects one of the people responsible may be a former employee or contractor that “at least at one time had legitimate, inside access to the company’s networks,” Avid Life Media’s CEO Noel Biderman told cybersecurity writer Brian Krebs.
It’s unclear how Impact Team secured the data.
An Avid Life Media statement refers to the incident as an “attack.”
“This event is not an act of hacktivism,” reads a statement from Avid Life Media, “it is an act of criminality.”
It claims the company made millions of dollars through fraudulent services, like offering users the ability to have their information permanently deleted from its system for a fee. Impact Team claims the service is “a complete lie;” but the company defends it.
Several sources have verified the data is authentic.
But, that doesn’t mean anyone whose email address appears in the leak is guilty of having an affair.
The company requires users to register with an email address, but does not require email verification. So many of these addresses are clearly made up.
For example, at least 16 users signed up pretending to be the current or a former U.S. president, Vanity Fair reported. Former British prime minister Tony Blair’s email also appears, Wired reported, and email@example.com is for a domain that doesn’t exist.
Still, at least one high-profile individual’s extra-marital affair was revealed by the leak. Ex-reality-TV star Josh Duggar apologized for cheating on his wife after his name appeared in the leaked data.
While some marriages may hit rough waters because of the leaks, and divorce lawyers are gearing up for an unexpectedly busy season, there may be other consequences too.
“I am from a country where homosexuality carries the death penalty,” wrote one anonymous Reddit user before the data was exposed, begging the party responsible not to publish the data.
“I am about to be killed, tortured, or exiled,” he wrote. “And I did nothing wrong.” (A few days later, he posted that he was working with a law firm that specializes in refugees and would be travelling to the U.S. soon.)
In the U.S., criminal charges are also a possibility for military personnel. The Uniform Code of Military Justice allows for adultery to be considered a criminal offense, depending on the circumstances.
Other employees who are subject to morality clauses in their employment contracts may face trouble. As might government employees who registered with their .gov email addresses or used work computers to access the site.
CoinDesk and Stuff both reported incidents of someone using the pseudonym Team GrayFlay demanding alleged Ashley Madison users send about $ 450 US (or about $ 590 Cdn) worth of Bitcoin or have their alleged infidelity exposed to their significant other.
The company, too, may have some financial troubles ahead.
Lawyers launched a class-action lawsuit, representing Canadian victims. They’re seeking some $ 760 million in damages. Avid Life Media indefinitely postponed Ashley Madison’s upcoming initial public offering in London. The company hoped to raise up to $ 200 million US.
Ashley Madison is conducting an independent investigation to determine “the origin, nature and scope of this attack.”
The RCMP, the Ontario Provincial Police, the Toronto police and the U.S. Federal Bureau of Investigation are all looking into the breach, according to Avid Life Media, which says it’s fully co-operating with all four agencies.
Avid Life Media has not revealed how much about what sort of data was stolen in the breach, although it has assured its clients that full credit card numbers were not taken, saying it has never stored that information.