Although not mentioned in the email quoted below, clearly some state employees got caught in the hack of the Ashley Madison website. The odd thing is that the email sent out statewide is entitled “Phishing Scams.” The Ashley Madison hack was just that, a hack. It had nothing to do with phishing scams. I don’t know which is more troublesome, state employees using a website like Ashley—which by the way is blocked for 99% of network users—or that the head security guy is wrongly calling this a phishing scam.
Anyway, here is the email. Please note that links to state intranet sites were removed for this copy. Also, I added emphasis to portion on “data dump”.
Attention CDCR Email Account User,
The CDCR Information Security Office was recently made aware that several CDCR email accounts were published to a public Internet site in a data dump that was hacked by a third-party organization. The compromised email accounts were used as logons by the users for non-CDCR related activities. Although corresponding passwords or other personal information were not believe to have been exposed, we ask all users to:
• Do not use the same password for your CDCR account for any non-CDCR purposes such as personal email – this will reduce the risk of having your CDCR account compromised (best practice)
• Do not use the CDCR work email address for personal use such as use your email account to sign up for non-CDCR business related purposes.
Because of this data dump is available to the public, please also take the time to review regarding how to prevent against phishing attacks.
Additionally please:
• Do not enter sensitive or confidential information into any internet website unless it can be verified that the site is authentic,
• Do not reply to emails requesting any sensitive or confidential that originate from an unknown source, and
• Do not provide any sensitive or confidential information over the telephone during conversations that were not initiate by yourself.
If you have any further questions or concerns regarding this email please contact the CDCR Agency Information Security Office.
Tina Turner had a hit many years before her trip to Thunderdome when she asked, “What’s love got to do with it?” After being married to Ike, maybe she really felt that way.
Supposedly other women do too. If you believe their marketing, a vast number of unhappy and promiscuous women are available on the Ashley Madison website for any man married wanting a fling. This website whose motto is: “Life is short, have an affair” was recently hacked.
Some readers many ask why I am spending time on this data breech of a sleazy website. Why? Because thus far, this is the biggest known data breech in the world…ever. Besides, how many websites do you know that dedicate themselves to violating one of the Ten Commandments.
These guys are dirtbags. They are marketing adultery with a money back guarantee.
Affair Guarantee Program Rules
•Under the AshleyMadison.com Affair Guarantee Program, (the “Affair Guarantee Program” or the “Program”) if you don’t find someone within the initial 3 months after purchasing the “Affair Guarantee” Membership Package, we’ll refund you the amount you paid AshleyMadison.com for participating in the Program (the “Refund”).
• The Guarantee Program is available for a limited time only, and open to anyone.
The cost of sin is high. In this case $249 CDN/$199 USD Source Article
A year ago, the website was claiming 13 million active users. Oh, no cost for women to join. Prices above are the rates men are willing to pay. Source Article
Those with memberships were promised that for a fee of $19, their account would be deleted.
Ashley Madison sold the delete feature for $19, The Guardian reports, promising users it would remove their profiles from the site, including search results. BuzzFeed discovered that the site made close to $2 million for the service in 2014 alone when 90,000 requested such profile deletions.
However, it turns out that Ashley Madison kept a treasure trove of information for each user that’s good enough to identify that person. The company did remove the real name, username, email and profile information as promised but it retained sensitive data that can be used to find out whether a person may have had an account on the extra-marital affairs site.
The company “retained the date of birth, city, state, post- or zip code, country, gender, ethnicity, weight, height, body type and whether the user smokes or drinks,” The Guardian writes. BGR Article
The hackers of this website call themselves The Impact Team. This manifesto—including locations of the data—can be viewed here. Impact Team Manifesto
According to Toronto Police, employees of Canadian based Avid Life Media—the owners of Ashley Madison and some similar websites—first became aware of the hack on July 12.
In the news conference, the police detailed how users were targeted in an attack that began July 12, when employees of Avid Life Media arrived at work. When the employees opened their laptops, they were met with the song “Thunderstruck” by AC/DC, and an accompanying message demanding that Avid Life shutter both websites. New York Times
The hackers then provided samples of the hacked data to prove their claims of hacking the website were genuine. Avid Life refused to take down two of their websites so on August 20th, the hacked data was posted.
Impact Team released a 9.7GB data dump that contains over 30 million Ashley Madison user records. This includes names, addresses and emails, but it is thought that credit card details have not been compromised. Not all the email addresses are real, but up to 24 million are said to be active.
The data was posted to a Tor website meaning that it is not accessible to the general public, as well as to peer-to-peer networks such as BitTorrent. However, details are starting to leak onto the open web via screenshots on social media.
Analysis of the cache has also uncovered a number of government and military email domains. For example one researcher said that over 6,000 of the email addresses were registered as us.army.mil.
“The website has found 1,716 email addresses from universities and further education colleges using the .ac.uk suffix; 124 using .gov.uk; 92 using .mod.uk; 65 local education authorities and schools using .sch.uk; 56 National Heath Service emails and less than 50 police emails,” reported The Telegraph.
Meanwhile, security blogger Robert Graham searched the database to determine the gender balance.
“I count 28 million men to five million women, according to the ‘gender’ field in the database (with two million undetermined). However, glancing through the credit card transactions, I find only male names,” he said.
The Ashley Madison hack is bigger in scale than the recent breach at the US Office of Personnel Management that resulted in the loss of 21 million federal records. V3-UK
A few days later, the hackers posted a second data dump of 20 gigabytes. These were all internal records of Avid Life Media. This data breech was code of the websites, Google drives of managers, emails, and other internal documents. The Sony data breech was larger in terms of size of the data files but in terms of names this is the biggest in the world.
As a result of the data breech, two people listed on the website have reportedly committed suicide. This from the police news conference mentioned earlier. Their spokesman is Mr. Bryce Evans.
Mr. Evans also said that the police have received two unconfirmed reports of suicides related to the data breach. Security experts had warned the revelations contained in the breach could lead to suicide and violence.
“Others might find the thought that their membership of the site — even if they never met anyone in real life, and never had an affair — too much to bear,” Graham Cluley wrote on his security blog last week, “and there could be genuine casualties as a result. And yes, I mean suicide.” New York Times
Hack Touches Virtually All of the United States
Gawker’s Gabrielle Bluestone has uncovered that there are precisely three ZIP codes across the country that have no record of Ashley Madison users. That’s ZIP codes, not area codes. And what do they have in common? They’re partially lacking two things: the internet and a large number of people. Yahoo Finance
Doriana Silva
Thus far we have learned that there are roughly six men for each woman listed on the website. However, the number of women is a matter of some dispute. Many of the female profiles on the website are reportedly fake. Some of the male profiles are also fraudulent.
In 2012, Doriana Silva filed a lawsuit that was later thrown out. Her claim of fraudulent profiles is receiving renewed media interest in the wake of this hack. Below are portions of a news article from New Zealand.
Doriana Silva
A former employee of the Ashley Madison adultery website has claimed she was told to create hundreds of fake profiles of female “members” to entice men to join up.
Doriana Silva, who worked at the company’s headquarters in Toronto, Canada, tried to sue the firm after claiming she suffered repetitive strain injury (RSI) after being given a month to input 1,000 bogus memberships.
Ms Silva, who is Brazilian, was recruited by Ashley Madison’s parent company Avid Life Media to help launch a Portuguese language website in her home country.
According to court documents in Toronto: “Her allegation is that her job entailed concocting phony profiles of alluring females and inputting these profiles into the appellants’ online dating service in order to attract male subscribers.”
She claimed she was given three weeks to create 1,000 fake profiles.
Her claim stated: “The purpose of these profiles is to entice paying heterosexual male members to join and spend money on the website.
“They do not belong to any genuine members of Ashley Madison – or any real human beings at all.”
She said she was led to believe “that doing so was some sort of a normal business practice in the industry” but found her workplace “oppressive and unethical”.
Ms Silva launched the case in 2012, claiming £10 million in damages. Avid Life counter-sued her, denying her claims, and the two sides eventually agreed to drop their cases earlier this year.
Ashley Madison claims to have 1.2 million users in the UK, which would equate to almost one in 20 of all adults between the ages of 18 and 50. Increasing numbers of supposed members whose details have been published online by hackers say they had never even heard of Ashley Madison.
Online security experts have suggested the company could have bought bulk email addresses from marketing companies to make it appear that their membership – and their choice of possible partners – was far larger than the reality.
A source close to the FBI investigation into the leak has told The Daily Telegraph that examinations of the database suggest many of the female profiles on the site were created by a relatively small number of individuals.
Ashley Madison says on its website that it cannot “guarantee the authenticity of any profile”. It relies wholly on men for its profits; women can join for free, but men pay a minimum of £39 to be able to contact other members, though there is no guarantee that they will get a response from people they message.
Peter Sommer, a visiting professor at the De Montfort University Cyber Security Centre, said: “A number of internet dating agencies are known to artificially boost the number of profiles they have in order to make them more attractive.
“They take publicly available information from other databases and added it to their own. People then pay to be able to contact other ‘members’ and it’s not until they get to that stage that they realise a lot of them are duds.”
Bulk email addresses can be bought from marketing companies for as little as 10p each. New Zealand Herald
Identity Theft
Another possible explanation is that people using the site have simply stolen other people’s email addresses so they do not have to give their own name. People can even browse the site using entirely fake email addresses, because no verification emails are sent out by Ashley Madison to check the email is genuine.
Among those who believe they may have been the victims of identity theft is Oliver Coppard, who stood as Labour’s parliamentary candidate in Sheffield Hallam against Nick Clegg earlier this year.
He said an email address for him that appears in the leaked data is one he has not used for three years.
“It’s a bit of a mystery to me,” he said. “I have never been on the site and I’m not even married so I would have no need to use it. It doesn’t really matter to me, but I don’t know how it has happened.”
Please be aware that this hack is creating a secondary market in scammers and malware sites.
Remember that email addresses are not verified by Ashley Madison so tread lightly before accusing folks of being actual clients. There is a chance they are innocent.
For a business that is predicated on secrecy and then is hacked with the outpouring of personal details then it no longer becomes a viable business. New Zealand Herald
