Ashley Madison left ‘pay to delete’ information intact
Accounts that had been paid to be wiped by the Ashley Madison website have still retained enough information for users to be identified, according to reports.
The group that attacked the corporation has called themselves the ‘Impact team’ and they were motivated by the fact “[f]ull Delete netted Avid Life Media $1.7m [£1.1m] in revenue in 2014. It’s also a complete lie … Too bad for ALM, you promised secrecy but didn’t deliver.”
In the original attack the hackers demanded that the website be removed from the internet or they would reveal the stolen data, following through on the threat the information has now been posted online.
Data accessible includes date of births and post codes, even though the site charged users for a ‘full delete service’ costing £15, with the promise of removing all their information. Information made available also included their weight, height, city and whether the user smokes or drinks.
For example, one user that paid to have their information removed can be tracked to a specific tower block in London, where combined with the additional data presented brands them easily identifiable. The data also retained what type of relationship the user was seeking, their currently relationship status, what sexual preferences they had and what they were looking for in a partner.
However, Information security firm Rapid7 warned about the validity of the data, cautioning individuals not to jump to conclusions.
“It’s trivial to set up a fake account on Ashley Madison, since Avid Life Media’s account setup procedures encourages, but does not require, an email address to be verified by the user. This might be done for a variety of reasons by actors ranging from pranksters to bitter divorce rivals.
“Second, the majority of ‘real’ account holders tend to use fake, throwaway data and details, for obvious reasons. If some of those fake details happen to coincide with a real person, then it can create a sticky problem for that real person. Finally, even if the real data is a real person, and that person really registered for the site, there is no indication in the data if that person was successful at, or even intending to, pursue an illicit affair.”