Hacked hookup site Ashley Madison's security was laughable
Canadian and Australian privacy watchdogs bite, hard
Ruby Corp, the rebranded parent company of illicit-affair-arranging outfit Ashley Madison, has had to enter into court-enforceable orders with privacy authorities in Canada and Australia, following the findings of a joint investigation in the two countries.
After the company was hacked by Impact Team, it was pretty clear that its website security was a steaming pile. In the wash-up, it turned out to have deployed fake “fembot” profiles to draw suckers into its net, and lied about customers' ability to delete their profiles.
The report finds the site's security practices were a treat: the company stored its VPN password on Google Drive, making it easy to obtain for anyone who accessed any employee's machine. Once an attacker was on the inside, they'd find that some passwords were stored as plain text, in emails (apparently the idiots used “here's your password” emails at some point), and in text files on the company's servers.
“In addition, encryption keys were stored as plain, clearly identifiable text on ALM [Avid Life Media, the company that once ran AshMad - Ed] systems, potentially putting information encrypted using those keys at risk of unauthorized disclosure. Finally, a server was found with an SSH key that was not password protected. This key would enable an attacker to connect to other servers without having to provide a password”, the report adds.
The Australia-Canada investigation has also pinged Avid Life Media, as AshMad was then known, as not transparent with users: “critical elements of their practices that would have been material to prospective users’ decision to join Ashley Madison were either absent, difficult to understand or deceptive”, the investigation states.
“ALM confirmed that the ‘trusted security award’ trust-mark on their home page was simply their own fabrication rather than a validated designation by any third party,” it notes.
Account deletion processes were deceptive, the investigation says, and “users choosing the full delete option were not informed until after they had paid for the full delete that their information would in fact be retained for an additional 12 months.”
As already noted, the company's internal IT security was a mess, and the report also notes that it made a decision not to have multi-factor authentication on its VPNs, which the report dryly considers “a significant concern”. Ruby Corp has since decided 2FA is a good idea.
The company is also the subject of an ongoing US Federal Trade Commission investigation in America. ®