Tech

Internal Docs Suggest Ashley Madison Knew Hacking Was Huge Threat

Company CEO and CTO apparently expressed concerns about how a breach could hurt Ashley Madison.

Posted on

The top executives at Ashley Madison were aware that their company was vulnerable to a breach, according to one alleged internal document which shows the CTO and CEO of the company voicing concern over how hackers could infiltrate their database of adults looking to cheat on their spouses.

The leak of 9.7 gigabytes of information Wednesday, which hackers claim they stole from Ashley Madison's internal computers, was among the worst-case scenarios imagined by the company executives in an internal questionnaire. The authenticity of the document, which was part of the information posted online by the hackers, could not be independently verified by BuzzFeed.

While security experts have said that the information posted online appears to be from the site, Ashley Madison has not yet confirmed whether the accounts of more than 37 million people, as well as internal company documents, are authentic.

In the questionnaire, company employees are asked to comment on their concerns for the company.

"We should put any and all efforts forward to defend against any security issues that can put our brand and 15 years of hard work at risk," writes CEO Noel Biderman.

Trevor Stokes, the CTO, echoes his concerns, writing, " I would hate to see our systems hacked and/or the leak of personal information."

In further comments the two wonder about data exfiltration and the confidentiality of the data posted on their site, and Kevin McCall, VP of operations, adds that there is "a lack of security awareness across the organization."

Update

In a similar document allegedly from Ashley Madison, the company suggests "Data leak/theft issues" as its top "area of concern" along with other potential threat vectors like "Exposing customer data via XSS session highjacking (XSS + phishing)," "exposing customer data via SQL injection vulnerability in the application code," and "code bug resulting in remote code execution exposing customer data (sql dump)." The document — which was not independently verified by BuzzFeed News — suggests that the company was concerned about "internal users being infected with malware/viruses allowing hackers access to our user data" as well as "web app remote code exploit[s] in our codebase resulting in a man-in-the-middle attack where a hacker gains access to our customer's billing/credit card information."

Below are more alleged disclosures from Ashley Madison about user data privacy concerns:

-Bad actor creating accounts on our sites, crawling search results and finding a method of correlating our users to their private lives (facial recognition, image metadata location coordinates, etc…)
- Internal bad actor stealing customer data and exposing it in social media/blackmailing
- Internal bad actor using a known/shared password to access customer data
- A hacker/bad actor at New Relic gaining access to our customer data.
- Third party billing partner getting hacked, exposing our customer list.
- Improper handling of backup media from OnX resulting in a data leak
- A hacker or bad actor gaining access to our customer service gmail credentials and gaining access to customer data.

Mat Honan is the San Francisco bureau chief for BuzzFeed News. Formerly a senior staff writer at Wired, he has been writing about the technology industry and its impact on society for nearly 20 years.

Contact Mat Honan at mat.honan@buzzfeed.com.

Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F

Contact Sheera Frenkel at sheera.frenkel@buzzfeed.com.

Got a confidential tip? Submit it here.