Attack on dating site seemingly motivated by business grudge.
Some 37 million users of the infidelity dating site Ashley Madison are at risk of being outed after hackers claimed to have leaked some of the site’s data online.
Avid Life Media, the owner of the site and similar services Cougar Life and Established Men, was left scrambling to fix the problem, and confirmed a cyberattack had taken place on its systems.
"We’re not denying this happened," chief executive Noel Biderman told the security blogger Brian Krebs. "Like us or not, this is still a criminal act."
The hackers behind the attack, the Impact Team, appeared to be motivated by Avid Life’s plans to charge customers £15 to fully delete their profile details, which include personal data, credit card info and descriptions of their sexual preferences.
"Full Delete netted [Avid Life] $1.7m in revenue in 2014. It’s also a complete lie," the hacking group wrote in a message online.
"Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."
The attackers demanded that Avid Life shut down both Ashley Madison and Established Men, a site for "sugar daddies", and threatened to release the rest of the data cache if the firm did not comply.
Whilst Biderman did not confirm many details of the investigation into the attack to Krebs, he did reveal that the company had a suspected "culprit" in its sights.
"We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication," he said.
"I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services."
Seemingly confirming the close connection between the hackers and Avid Life, The Impact Team also apologised the firm’s director of security Mark Steele, whom they said "did everything you could".
Alongside the customer details, the hackers were also said to have got hold of company data, including staff salary details, internal network maps and corporate bank account data.
Commenting on how customers would likely respond to the attack, Dave Palmer, director of technology at security vendor Darktrace, said: "I think it will really depend on the customer’s own view.
"If you’re into this sort of service I’m not sure what other services exist where you could take your business to."
The attack also invites comparisons to a similar raid on AdultFriendFinder, which exposed millions of users to similar data disclosures in May.