The document summarizes the Ashley Madison data breach from 2015. It discusses how hackers breached Ashley Madison's systems and leaked customer data online. It also covers Ashley Madison's statements responding to the breach, media coverage of the incident, analysis of passwords and personal data leaked, effects on customers like suicide, and questions that remain about Ashley Madison's data security practices and handling of the breach.

1. Ashley Madison :
Lessons (to be) Learned
Per Thorsheim
Security Adviser
@thorsheim

2. Article 12:
“No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has the
right to the protection of the law against such interference
or attacks.”
The Universal Declaration of Human Rights,
United Nations

3. About Ashley Madison

6. Ashley Madison hacked

7. July 15

11. The threat

13. Data Dumps Online

16. Number of traveling man purchases.docx
SQL queries to investigate high-travel user's purchases.
q2 2013 summary compensation detail_managerinput_trevor-s team.xlsx
Per-employee compensation listings.
AVIDLIFEMEDIA (primary corporate domain) user information and hashes.txt
Noel's loan agreement.pdf
A promissory note for the CEO to pay back ~3MM in Canadian monies.
Areas of concern - customer data.docx
Appears to be a risk profile of the major security concerns that ALM has regarding their customer's data. And yes, a major user data
dump is on the list of concerns.
A listing of all ALM associated bank account numbers and the biz which owns them.
Rev by traffic source rebill broken out.docx
Rebill Success Rate Queries.docx
Copies of Option Agreements.pdf
All agreements for what appears all of the company's outstanding options.
paypal accounts.xlsx
Various user/passes for ALM paypal accounts (16 in total)
ARPU and ARPPU.docx
A listing of SQL commands which provide revenue and other macro financial health info.

17. TL;DR :
• The leak contains lots of source code (nearly
3M lines of code according to sloccount)
• 73 different git repositories are present
• Ashley Madison used gitlab internally
• The 13GB compressed file which could contain
AM CEO’s emails seems corrupted. Is it a fake
one?
• The leak contains plain text or poorly hashed
(md5) db credentials

18. Media

24. 9,000+ articles – and counting….

25. Password analysis

26. 123456
password
12345
qwerty
12345678
ashley
baseball
abc123
696969
111111
football
fuckyou
madison
asshole
superman
fuckme
hockey
123456789
hunter
harley
202
105
99
32
31
28
27
27
23
21
20
20
20
19
19
19
19
19
18
18
Passwords found

30. Statements from Avid Life Media

31. We immediately launched a thorough investigation
We apologize
No company’s online assets are safe from cyber-vandalism
Despite investing in the latest privacy and security technologies.
We have always had the confidentiality of our customers’ information foremost in our minds
We have been able to secure our sites, and close the unauthorized access points.
July 20, 2015

32. #2, July 20, 2015
Using the Digital Millennium Copyright Act (DMCA), our team has now successfully
removed the posts related to this incident as well as all Personally Identifiable
Information (PII) about our users published online. We have always had the
confidentiality of our customers’ information foremost in our minds and are pleased
that the provisions included in the DMCA have been effective in addressing this
matter.

33. August 18, 2015
No current or past members’ full credit card numbers were stolen
from Avid Life Media. Any statements to the contrary are false. Avid
Life Media has never stored members’ full credit card numbers.
…. BUT ALL OUR MEMBERS MOST INTIMATE SEXUAL PREFERENCES
ARE FULLY AVAILABLE ONLINE FOR FREE, FOR ANYONE TO READ!

34. Effective today, Noel Biderman, in mutual agreement with the
company, is stepping down as Chief Executive Officer of Avid Life
Media Inc. (ALM) and is no longer with the company.
August 28, 2015

35. CEO

39. Search sites

45. Scams

47. Suicide

48. Two individuals associated with the leak of
Ashley Madison customer details are reported
to have taken their lives, according to police in Canada.
Ashley Madison's Canadian parent company Avid Life
Media is offering a C$500,000 (£240,000) reward for
information on the hackers, they added.
Police have set up a Twitter account, @AMCaseTPS,
and hashtag, #AMCaseTPS, in a bid to gather
information about the hack from members of the public.

49. Hunting Hackers

54. «If they only did as we ….»
Oh, really?

55. No HTTPS =
No Security
No Privacy

56. Account enumeration =
Security design weakness

57. Profiteering

61. http://www.troyhunt.com/2015/08/heres-what-ashley-madison-members-have.html

62. Questions for Ashley Madison

64. Current Terms and Services @ Ashley Madison (September 2015):
However, in the terms and services of the site, it explicitly warns would-
be cheaters that many users of the site subscribe “for purely
entertainment purposes”. It continues:
“You acknowledge and agree that any profiles of users and Members, as
well as, communications from such persons may not be true, accurate or
authentic and may be exaggerated or based on fantasy. You
acknowledge and understand that you may be communicating with such
persons and that we are not responsible for such communications.”

65. February 2015: Terms and Services @ Ashley Madison:
“The profiles we create are not intended to resemble or mimic any actual
persons. We may create several different profiles that we attach to a
given picture. You understand and acknowledge that we create these
profiles and that these profiles are not based on or associated with any
user or Member of our Service or any other real person. You also
acknowledge and agree that the descriptions, pictures and information
included in such profiles are provided primarily for your amusement and
to assist you navigate and learn about our Site. As part of this feature,
the profiles may offer, initiate or send winks, private keys, and virtual
gifts. Any one of these profiles may message with multiple users at the
same or substantially the same times just like our users.
Our profiles message with Guest users, but not with Members. Members
interact only with profiles of actual persons. Guests are contacted by our
profiles through computer generated messages, including emails and
instant messages. These profiles are NOT conspicuously identified as
such.”

66. 1. How many actual users did it have?
2. Did it make fake accounts?
3. Was it aware of prostitution on the site?
4. It promised security to its customers. What did it
do to ensure this?
5. Its CEO said the leak was an inside job. What
made him think that? Has he changed his mind?
6. Why did the «full delete» not fully delete a
customer’s profile? Why did it keep location
information for a fully deleted account?
7. Given it took card payments for a full delete,
why didn’t it make clear that payment
information has to be retained?
8. Why didn’t it disclose the hack to customers as
soon as it happened? Why did they have to find
out from the press?
9. Why did it make a specific, narrow denial about
storing card numbers?
10. Why is it still implying the leak is not real?

67. The Law
is changing for the better.

69. 37 565 000

70. Over 42 195 000 anonymous members!

71. ¯_(ツ)_/¯

73. Article 12:
“No one shall be subjected to arbitrary interference with
his privacy, family, home or correspondence, nor to
attacks upon his honour and reputation. Everyone has the
right to the protection of the law against such interference
or attacks – even members of Ashley Madison.”
The Universal Declaration of Human Rights,
United Nations

74. PasswordsCon.org
University of Cambridge, December 7-9, 2015

75. per@godpraksis.no
www.godpraksis.no
+47 90 99 92 59
@thorsheim