Credit: Avid Life Media
On Sunday, a group calling themselves Impact Team leaked documents and other data taken from Avid Life Media, the company behind the adult playgrounds of Ashley Madison, Cougar Life, Established Men, and others.
The documents are a hodgepodge of details, ranging from IT infrastructure, sales and marketing data, customer records, and more.
In the message that accompanied the data, published online in multiple locations Sunday evening, Impact Team quoted ALM's CTO Trevor Skyes stating that protection of personal information was one of his biggest successes.
The quote goes on to say that he'd hate to see the company's systems hacked or customer information leaked. But that's exactly what's happened.
As part of the post announcing the hack, Impact Team said in part:
"We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it's like you didn't even try, like you thought you had never pissed anyone off.
"Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online."
Impact Team claims that one of the reasons for targeting ALM is because the company "profits on the pain of others."
The group released nearly 40 MB of data as proof of their claims, which includes limited credit card transaction details, zone data on two domains, as well as several documents taken form the ALM data servers.
One of the leaked documents is an infrastructure overview of ALM, including a technical map of the network, and a detailed breakdown of the apps and services used on the company's front-rail and back-rail servers.
Another leaked document outlines the possible risks the company faced in relation to customer data and the possible outcome during a given scenario. All of the items in the document are valid risk assumptions, which would make it part of a larger security plan or internal evaluation.
Some of the concerns include the loss of compliance status due to an oversight or bug in development, or a process failure leading to the loss of PCI compliance. The document also singles out XSS and SQL Injection vulnerabilities as another concern, in addition to man-in-the-middle attacks and malware infections on the internal network.
Sign up for CIO Asia eNewsletters.