A new report alleges that Ashley Madison executives may have hacked a competing site a few years ago. Ironically, the revealing emails were found within a giant cache of data leaked as a result of a cyber attack on the network for adulterers.
In a blog post, security expert Brian Krebs details a series of emails from 2012 that seem to indicate Ashley Madison original chief technology officer Raja Bhatia discovered and exploited vulnerabilities in nerve.com, a site that explores human sexuality and culture. At the time, Nerve was building an adult dating forum. In an email, Bhatia told his boss, Noel Biderman, CEO of Avid Life Media (Ashley Madison’s parent company), that he was able to access nerve.com’s users and change account data. Here’s an excerpt from the Krebs security report:
“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a GitHub archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Apparently, months after Bhatia breached nerve.com, Biderman met up with the company to talk about a potential partnership. It’s not clear whether Bhatia or Biderman ever disclosed the security gap to Nerve.
We have reached out to Ashley Madison and will update this post if and when it responds.
Ashley Madison is still reeling from a July cyber attack from a group calling itself The Impact Team. With the tagline “Life is short. Have an affair,” Ashley Madison has amassed 40 million users by promising to facilitate discreet encounters — a promise it failed to deliver on.
The Impact Team has said they looted Ashley Madison’s servers because the service was not deleting users’ personal information even after those same users had paid for it to be erased.
When news of the hack first emerged, Ashley Madison executives were quick to dismiss its significance, saying that most claims by sites purporting to offer access to the leaked data were false. Since then, The Impact Team has released 30 gigabytes worth of data to the web, including user data and company information. In total, three years worth of email was leaked, running from January 2012 to July 7, 2015, according to Krebs.
The information about internal emails comes as Ashley Madison ramps up its efforts to bring the hackers that breached its site to justice. Earlier today, the company offered $380,000 for information leading to the arrest or prosecution of individuals related to the hack.
In the meantime, Ashley Madison users are shaken. Unconfirmed reports say a few people have taken their lives as a result of the hack.
*Update: an earlier version of this article referred to Ashley Madison CTO Raja Bhatia as a cofounder rather than its original chief technology officer.