• The Ashley Madison Hack is More than Just Embarrassing
  • August 25, 2015
  • Law Firm: McDonald Hopkins LLC - Cleveland Office
  • It was a bad week for people looking to cheat on their spouses - hackers publicly released the personal information of roughly 33 million users of the cheating site Ashley Madison. Aside from the obvious public embarrassment, many experts are saying the incident underscores the serious cybersecurity threats we face.

    With the information made public, hackers can and likely will leverage the database to get into other password-protected sites and systems.
    And since the Ashley Madison data dump also included thousands of government email addresses, criminals now have access to personal information about military and intelligence officials.

    The technique is simple but effective: many websites allow users to access restricted areas without a password if they can provide multiple pieces of personal information to verify their identity. Using a database like the one from Ashley Madison, stitched together with some of the countless other databases of stolen information that are easily accessible on the dark corners of the Internet, a hacker can assemble a fairly complete snapshot of an Internet user's profile that can then be used to bypass security steps on a website or computer system.

    That's likely how Russian hackers gained entry into more than 300,000 U.S. taxpayers' records on the Internal Revenue Service website earlier this year. The intruders accurately answered identity-based questions about those taxpayers to gain access to their tax history and IRS transcripts, and used that information to file more than $50 million in fraudulent tax returns.
    The Ashley Madison hack revealed only relatively basic information—things like names, online usernames, street addresses, phone numbers, and the last four digits of payment cards—but even those seemingly innocuous records could be enough for hackers.

    Other hacks, like the breach of more than 20 million individuals' records at the Office of Personnel Management (OPM), have compromised much more sensitive pieces of information. Some of the information accessed in the OPM attacks included Social Security numbers, financial and health history, and even more than a million fingerprint files.

    Experts say the spoils of the OPM breaches have not appeared for sale or for free on the Internet, likely because the hackers, who U.S. officials say were tied to the Chinese government, would rather keep the information for their own use.

    But other large-scale hacks, like the breaches at health insurance companies Anthem and Premera, also included sensitive personal information. Soon after large hacks like these, databases of stolen information usually begin to pop up on online marketplaces for would-be hackers to purchase. A Quartz investigation found that the going rate for a complete stolen identity on the Internet is about $20.

    But while the average Ashley Madison user should be worried that his or her information, now public, could make identity fraud easier for a hacker to pull off, a subset of Ashley Madison users could be in an even riskier position.

    A preliminary look at the Ashley Madison data dump revealed that about 10,000 emails belonged to U.S. officials, including employees of the Department of Justice and the National Security Agency.