Stolen User Data Sells for as Little as $1 on the Dark Web

Online data breaches and stolen user details are becoming a sad reality of life on the internet. Whether it’s the infamous Ashley Madison hack or a phishing attack, it’s tough to stop your information from falling into the wrong hands. You might be surprised, however, how much your personal data is worth. According to a new report from Trend Micro, entitled “Understanding Data Breaches”, user data is being sold on for as little as one dollar on the dark web.

Trend Micro also found, thanks to the Privacy Rights Clearinghouse Data Breaches database, that only 25% of data breaches between 2005 and 2015 were due to online hacks. The most common breaches are inside jobs, committed by employees of a company, as well as device skimming and physical theft of laptops, flash drives, and mobile devices.

Credit and debit card details are still being most effectively gathered via skimmers or cameras connected to an ATM or point-of-sale terminals, or by hardware keyloggers on cash registers, rather than by online methods.

Much of this stolen data is then sold on through the dark web, with bank details fetching up to $500 per account, PayPal and eBay accounts going for around $300, while US mobile accounts can go for as little as $14. Personally identifiable information (PII) – name, address, date of birth, and social security/national insurance number – sells for $1 per line, which means that the tiny sum of $4 can effectively buy a person’s identity. Bump that fee up to $25, and a full credit report on that person is yours.

Thank you ZDNet for providing us with this information.

Image courtesy of WIRED.

Cracking Millions Of Ashley Madison Passwords In Quadruple Quick Time

Signing up to a dating site which offers the platform for affairs while expecting all your data to remain safe looks to be rather stupid, after the many revelations which have been exposed concerning the Ashley Madison website. If the owners thought it could not be embarrassed any further, a cracking team by the name of Cynosure prime, not affiliated with Amazons video service, has cracked roughly 11 million passwords in just 10 days.

They managed this with help from an error implemented by Ashley Madison themselves, this involved breaking the passwords which were secured using MD5 (Message Digest Algorithm) which is a faster algorithm but far less secure than others. Using the second leak of data as a study group, cynosure prime attacked the md5 tokens, the passwords were set to bcrypt which is much more secure and therefore should have been harder to crack. Problem is, cynosure prime found that the commit was changed on the 14th June 2012 to 1c833ec7, this meant accounts could be cracked which had been created prior to this date with “simple salted MD5”.

What was expected to take years to solve only took 10 days to expose such naïve security protocols within Ashley Madison’s tech structure. The era of basic security has long since ended and businesses need to understand the scale of threats which are targeting their valuable data, Mrs Madison won’t be the last to experience such data loss. This should also be yet another warning against the crusade to ban effective encryption which is an essential tool to protect consumers from web-based data theft.

If you have a spare few minutes then by all means take a look at the full detailed explanation of the techniques used to crack the passwords, its worth a read.

Thank you cynosureprime for providing us with this information.

Image courtesy of winknews

99% Of Women Profiles On Ashley Madison Were Fake

Oh, well I am not surprised but here we go, the well reported data breach on dating website Ashley Madison has exposed a wealth of information including a huge proportion of fake profiles.

Impact Team who were the group behind the hack, announced that it was releasing the information in part because Ashley Madison had duped consumers over the male to female account ratio on its website. At the time, the hackers claimed that 90-95% of the accounts on Ashley Madison were male with “thousands” of fake female profiles. It turns out the group were correct but underestimated the figures ever so slightly.

After careful scrutiny of the data in order to verify that 5.5 million female accounts were indeed fake, the information reveals that many accounts were created with a single localhost IP of 127.0.0.1. This was along with thousands of accounts which listed AshleyMadison.com email address as their primary contact point including organized accounts which stated 100@ashleymadison.com, 200@ashleymadison.com and so on.

Another piece of information which is certainly revealing conveys the last log in date a user has checked their inbox, this data is logged by the site even if the user only checks it once. It reveals a huge 20,269,675 men checked their messages while only 1492 woman viewed their inbox. Well, just look at those odds, even Ray Winstone cannot market this appealingly for Bet 365.

I do feel these sites offer the majority a false sense of possibility with reality far less forgiving; it conveys the level of information which can be harvested by third parties if not stored correctly. The irony to all this is that Ashley Madison offered a platform where people could cheat on their other half which is deplorable, yet far less possible than previously thought considering the number of fake profiles.

Thank you extremetech for providing us with this information

Image courtesy of huffingtonpost

Users Launch Class Action Suits Against Ashley Madison

Users of extramarital affair site Ashley Madison have launched class action lawsuits against its parent company Avid Life Media, accusing of being negligent in protecting customer data. Two suits have been filed – one in California, another in Texas – alleging that the company failed to implement adequate security measures to stop user data from being compromised, and failing to notify customers once their data had been breached.

“Among the data compromised and downloaded were profiles of individuals who executed the option to scrub their user profiles and all associated data and paid $19 to Defendants to do so, yet Defendants failed to actually scrub the data,” the lawsuit filed in US District Court for Central District of California reads, after the public leak of “highly-sensitive personal, financial, and identifying information of the website’s some 37 million users.”

“One of the primary purposes of Defendants product and services was confidentiality and anonymity,” reads the suit filed in the U.S. District Court for the Northern District of Texas.

Further lawsuits have been reported in courts in California, Texas, and Missouri, plus another five in Canada.

Famed detective John McAfee has determined that the user data leak was an inside job, committed by a “woman”. Expect him to be called up as a key witness soon.

Thank you PC World for providing us with this information.

Ashley Madison Ex-CTO Hacked Competing Website

Adultery website, Ashley Madison is at the forefront of a hacking scandal despite reassurances about the site’s confidentiality. The data released includes information on members, their activity and the CEO’s e-mail correspondence. In an ironic twist, leaked documents show that the CTO in collaboration with employees, and the CEO of parent company Avid Life Media, discovered a security flaw in rival site, Nerve.com.  The company accessed the competitor’s entire database and had the ability to change records for their own purpose. A snippet from the e-mail exchange provides an insight into their ruthless strategy:

“They did a very lousy job building their platform. I got their entire user base,”

“Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

In a hilarious twist, Raja Bhatia, the founding chief technology officer outlined the company’s own security problems before allegedly hacking a competing site:

“With what we inherited with Ashley[Madison.com], security was an obvious afterthought, and I didn’t focus on it either,”

“I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials.”

Ashley Madison is a very devise website, and its CEO isn’t the most lovable of characters. Furthermore, if the company conducted hacking as suggested in the e-mails, they could be prosecuted under the Computer Fraud and Abuse Act. Personally, I have very little sympathy for a company which promotes cheating, and supposedly engages in the behaviour it becomes outraged by.

Thank you Wired for providing us with this information. 

John McAfee Accuses Employee of Ashley Madison Leak

Everyone’s favourite anti-virus-inventing, yoga-teaching, hand-biting millionaire eccentric John McAfee has turned private dick, launching his own investigation into the recent data leak from extramarital affair hook-up site Ashley Madison. McAfee claims, after taking “over a week to finish the analysis,” he has discovered that, rather than a hack, that the data was stolen by an employee of Avid Life Media, parent company of Ashley Madison.

In outlining the extent of his investigation into the Ashley Madison leak, McAfee bigs himself up to the max at any and every opportunity. “I have spent my entire career in the analysis of cybersecurity breaches,” he reminds us, “and can recognise an inside job 100% of the time.”

He bases his accusation on the fact that “the data contains actual MySQL database dumps”, and then goes on to outline further circumstantial evidence to suggest an inside job:

  1. An office layout for the entire Ashley Madison offices. This would normally exist only in the office of personnel management, the maintenance department, and possibly a few other places. It would certainly not be in the centralised database. Neither would it be of much value to the average hacker.
  2. Up to the minute organisation charts for every Avid Life division. This might be of value to certain hackers, but considering the hacker had already made off with everyone’s credit card info, billions of dollars worth of blackmail information, every private email of the CEO (fascinating, by the way), and everything else of value, it would seem odd to dig up the organisation charts as well.
  3. A stock option agreement list, with signed contracts included. The hacker would have had to gain access to the private files of the CEO or the VP of Finance to obtain this material – a job requiring as much time to implement as a hack of the centralised database. Again, of what value would this be considering the hacker had already made off with potentially billions.
  4. IP addresses and current status of every server owned by Avid Life – of which there were many hundreds scattered around the world. Why any hacker would trouble themselves with such a task, considering what was already taken, is mind boggling.
  5. The raw source code for every program Ashley Madison ever wrote. This acquisition would be a monumental task for any hacker and, unless the hacker planned on competing with Ashley Madison, has no value whatsoever.

John McAfee, P.I., goes to great lengths to stress that this employee, who acted alone, is female, gleefully insinuating a motive of feminist vengeance – the stereotypical ‘scorned woman’ – as though only a lady could take exception to cheating spouses. How does he know the gender of the perpetrator? Because McAfee has “practiced social engineering since the word was first invented and I can very quickly identify gender if given enough emotionally charged words from an individual.”

But don’t dare doubt the Great Detective: “If this does not convince you then you need to get out of the house more often,” he quips. A cogent argument indeed.

Thank you International Business Times for providing us with this information.

Hackers Post 10GB Stolen Data as Ashley Madison Stays Online

It has been a while since hackers attacked the online cheating site Ashley Madison where the hackers claimed that they had downloaded pretty much all relevant information about the users from the site. For those who don’t know it, Ashley Madison is an online dating site specifically designed and advertised to married people who want to cheat on their partner. A pure disgrace in my book that a site like that is allowed to stay online, but that is beside the point right now.

The hackers wanted the site to shut down and threatened to release the user data if that didn’t happen. The site didn’t give in to the blackmail as it looks to be a very lucrative operation, even though they’ve exposed for having 90-95% male profiles and most female profiles being faked by the company. I don’t think that women cheat less than men, perhaps they’re smarter about it.

Now the hackers have made good on their promise and released 10GB stolen data that includes not only usernames and emails, but also appears to contain credit card information to pay for the membership as well as many other personal information. While the site doesn’t verify the profiles in any way and it is possible to create fake profiles with any email you wish, it’s still scary how many government email addresses were found in the database.

Avid Life Media, the company behind Ashley Madison, condemned the release of the data with a statement: “This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.”

All the information has been posted to the “Dark Web” that only can be accessed through the Tor browser. It will be interesting to see what new dirt will show up as experts dig through the data and decrypt the parts that were secured.

Thank You Wired for providing us with this information