“I am surprised….no encryption has been used” – Per Thorsheim, security expert on Ashley Madison breach quoted by BBC News.
As you have probably heard, Ashley Madison, a dating site for married people who wanted to date outside their marriage, was breached and as of August 18, about 10 gigs of data containing personal information for about 33 million users was dumped to the dark web and TOR-based URLs.
The ramifications of this are pretty large. First people tend to react pretty strongly to things impacting their marriages, and thus even the presence of an unused account (or even a fake account not set up by the owner of the email address assigned to it) could have impact spilling over from cyberspace into meatspace.
According to CSO Online, 15,019 of the exposed accounts had .gov or .mil email addresses, creating problems in a couple different ways. I suspect that those who grant security clearances might not take kindly to behavior that renders one so vulnerable to blackmail. On the flip side, I imagine that those trying to compromise military or government workers now have another useful tool at their disposal. Expect awkward meetings and some churn at the office.
On a wider scale, expect the phishing crew to take full advantage of this. APTs have matured and while early phishing attacks were almost laughably transparent a lot of what is being sent around now on phishing expeditions is actually pretty slick and passes for the real thing. The bad guys just got a pretty big mailing list. In the meantime, websites are popping up where you can check to see if specific accounts are included in the dump.
Now, considering how many of those mail addresses were .gov and .mil, one also wonders how many were associated with corporate email accounts. At least the passwords they stored were encrypted with bcrypt, leaving them relatively, though not perfectly, secure. Probably a good time to change your Ashley Madison password. Of course, no body would ever use the same password across different sites, but if a person were to do it, this would be a good time to change those passwords as well.
So, what for many was supposed to be a little extracurricular fun certainly has the potential to turn into a marriage and/or career ending nightmare. Of course, it didn’t have to play out this way. If the folks running Ashley Madison had had any sort of respect for their clients, they could have encrypted all their customer records including credit card records.
These days encryption is not hard. We have packages for Windows and Linux and the encryption agent installs in seconds. You can encrypt on the fly. We include key management functionality and to make things even easier you can rekey on the fly as well.
Learn more about HyTrust DataControl.