←All Posts Posted on August 31, 2015 By admin
Hardly a week seems to go by at the moment without news of personal data being leaked from a website, eCommerce company or government department. Whilst this is always inconvenient, leading to users having to change passwords, it can be much worse. If it involves the leakage of email addresses victims may be targeted with spam and phishing attacks, and if credit card details are leaked there can be a financial cost too.
In the case of the Ashley Madison hack – the controversial site based in Canada that allows people to arrange extra-marital affairs – there have been a number of consequences which uncover just how damaging data leaks can be.
Leaked email addresses from Ashley Madison suggest that many of the site’s users may have signed up to the site using their work email addresses. Accounts at large companies and government departments have been used. This highlights two things, firstly that users of the site are not using personal addresses in order to hide their activity. But also that they’re abusing their business email accounts for personal purposes. It’s fair to assume that this use of email addresses applies to other sites too, so employers’ systems may be put at risk as well as being subject to additional traffic.
There is, of course, a very personal element to the Ashley Madison hack given the nature of the site. Leakage of names won’t have done any good for some people’s relationships. Worse still reports from Canada suggest that two people may have committed suicide as a result of their identity being leaked.
Owners of other online dating services as well as those of paid-for X-rated sites are also worried that their sites may now become subject to attacks from hackers. The web gives many people a sense of anonymity, and they may feel they’re safe signing up for sites like this, but the security of the sites may let them down. In some ways this attack has opened up a new route for hackers too, with the opportunity to blackmail site users and owners against the threat of releasing their details. This may prove more lucrative for cybercriminals than simply stealing card details or launching ransomware attacks.
The CEO of Ashley Madison has resigned in the wake of the leak which has exposed flaws in the handling of data by the business. Accounts which the company had promised to wipe in exchange for a fee were still lurking on its servers.
A further unexpected twist in recent days is that analysis of the leaked data shows the Ashley Madison site itself may have been cheating on its own users. Analysis of data from the site suggest that many of its female ‘users’ were actually fake profiles created by the company itself using bots.
What can we take away from this tale of woe? For website owners it’s clear that there’s a degree of complacency in protecting data. A proper forensic audit of systems would be able to uncover risks before they fall prey to exploitation. For employers there’s clearly a need to look at how their email systems are being used as they could be opening themselves up to ‘Password Reuse’ attacks or the possibility of legal action.
For individuals the clear message is never assume that you’re safe online. Always find out, if you can, what security measures the site is taking, and if you need to create a profile or account don’t expose more information than you have to. If you need to sign up to mailing lists have a separate, disposable email address.