In total, there were nearly 100 websites represented in the lot, and the site yielded significant clues about how the sites were compromised.
“When we examined the data we actually found out that the hackers kept logs of the sites that they attacked, how they attacked them and what they got from the site,” Holden noted. “The vast majority of sites on that one list – and there were also separate files that contain data also stolen from some of these sites – indicate that they went through a number of different sites and tried to steal specific types of data from these sites.”
Hold Security actually encounters such situations on a regular basis. The company has come to specialize in “thinking like a hacker” and that means going where hackers hang out. That has, in turn, revealed a lot about the types of sites that attract them.
“We audit not only from the compliance perspective but also from the real-world perspective where we would look through the eyes of hackers. What this shows me is that the dating sites are vulnerable by-and-large. There are no major sites that are at risk, such as eHarmony, Match.com, etc. The vast majority of these sites are small but they have databases where people have put very intimate portions of their lives.”
These cheaters will never prosper
And there’s the rub. While large-scale breaches such as Ashley Madison are not new, the type of information being compromised is different than the typical personally identifiable information (PII) that’s at risk in most hacks. People are no doubt alarmed enough if standard PII is compromised … and rightfully so. But really personal information such as the potentially embarrassing kind stored on a dating site or an “adult”-oriented website – that could be a whole new set of worries.
“There is the classically defined personally identifiable information – first name, last name, social security number, bank account, credit card, all of that – but this is more of a private personal nature,” confirms Candy Alexander, a CRC security consultant and former CISO.
When she first learned of the Ashley Madison breach, “My reaction was that I wasn’t surprised,” Alexander says. “When we look at hacking it has always been about motivation. Back when this first started, like 20-something years ago, it wasn’t necessarily for monetary value it was about bragging rights – what they perceived as superior intelligence by circumventing the rules and being the rebels. Then hacking morphed into those who had the desire to get monetary gain. Then it morphed into fraud through personal health information. Now, where we are today, it’s to the point where anybody can hack if they really want to.”
Sign up for Computerworld eNewsletters.