Woman with face covered by hair showing how 2015 Ashley Madison data breach leads to new cyber extortion scams
2015 Ashley Madison Data Breach Leads to New Cyber Extortion Scams by Byron Muhlberg

2015 Ashley Madison Data Breach Leads to New Cyber Extortion Scams

A large number of users of the controversial dating site Ashley Madison are reported to have been the victims of cyber extortion scams, according to the email security firm Vade Secure.

This comes mere years after the ‘Impact Team’ — a group of commercial hackers — broke into the databases of Ashley Madison, the infamous Canadian dating site that facilitates extramarital affairs. In July 2015, the ‘Impact Team’ hackers were able to steal sensitive information, including nude photographs and credit card details, from 32 million users in a high-profile case of commercial hacking.

It is reported that the leaked data from 2015 is being used to initiate the current cyber extortion scams.

The Ashley Madison data breach is alleged to have taken place on retributive grounds. According to a recent CNBC report, the hackers claimed that they had committed their data breach in order to retaliate against Avid Life Media, the Canadian entertainment giant that owns Ashley Madison. The hackers claimed that the dating site was “deceptively using bots to pose as real women.” The claim is backed up by research from the media company Gizmodo, which reveals that a significant minority of active user accounts (less than one percent) belonged to females at the time of the Ashley Madison data breach.

Cyber extortion takes a sexy turn

According to Vade Secure, the Ashley Madison data breach is believed to have affected “several hundred” accounts. Reports suggest that these users were forced into a corner by an email from an anonymous sender in which more than $1,000 worth of Bitcoin is requested in exchange for withholding sensitive personal information, including sexual information.

The email is allegedly sent with “highly personalized” body copy addressed directly to the victim, and includes their bank account number, telephone number, physical address, date of birth, and even sexual proclivities pulled from their profile after the Ashley Madison data breach. The email also includes an attached PDF document which it includes more pieces of sensitive information from the victims, and includes a QR code for payment after laying out explicit financial demands.

The email campaign is reported to have been dispatched over the course of several weeks and continued through January 2020. According to Zak Doffman, CEO of surveillance solutions firm Digital Barriers, the cyber extortion scams are still ongoing and predicted to intensify. He wrote in Forbes that “this is likely a test run, designed to hone the approach,” and that once this is achieved, “there is no reason why many more won’t follow.”

The Ashley Madison data breach is part of a larger trend known as ‘sextortion’. As the name might suggest, sextortion is an act in which a hacker threatens to go public with private sexual information about victims, unless those victims pay an often-hefty ransom in exchange.

Recent cases of cyber extortion of this nature seem to indicate a new trend is emerging in the practice. Hackers send emails to their victims which include a password that had been obtained in an unrelated data breach. This tactic is designed to give the appearance of having done the hack themselves, and in this way, the hackers are able to use the stolen password to strengthen the credibility of their claim that the victim’s security had been endangered.

Cyber extortion emails of this kind can usually be ignored safely, as they tend to be empty threats which the hacker is unable to leverage.

In the case of the Ashley Madison data breach, however, the hackers had obtained the users’ passwords from the 2015 hack on the site. This means that they did, in fact, hold compromising information against the victims.

Ashley Madison data breach a sign of things to come

According to a Vade Secure blog post that details their findings, the Ashley Madison cyber extortion scam is a “good example that a data breach is never one and done.”

It adds that leaked data tends to be bought and sold over the dark web, and that this data is “almost always” used to launch “additional email-based attacks, including phishing and scams.”

“Seeing that there were more than 5,183 data breaches reported in the first nine months of 2019, exposing 7.9 billion records,” the report concludes, “we expect to see a lot more of this technique in 2020.”

In the case of the Ashley Madison data breach, Doffman points out the expected intensification of cyber extortion scams against user accounts will likely be committed by independent “copycat” hackers, looking for an opportunity to exploit a now fully exposed vulnerability.

If one thing is clear, it is that the relationship between the 2015 Ashley Madison data breach and the cyber extortion scam of today clearly demonstrates the deep-rooted and enduring nature of data breaches. For many Ashley Madison users, then, the data breach proved not only to mark a singular case of data compromise, but a longer-term ordeal.