Jump to content
The Official Site of the Vancouver Canucks
Canucks Community

Ashley Madison hacked, personal information leaked


Mr. Ambien

Recommended Posts

It's funny to see all the law enforcement agencies take action over this all of a sudden.

I'm willing to bet there's quite a few politicians and powerful people on this list that the cops will be ordered to protect.

My take 100%. I also suspect there is some shoulder rubbing between the Avid Life Media and the establishment.

I don't necessarily condone the action of the hacker(s) as I believe their action is malicious in nature, but I also do not support Avid Life's (and the Toronto Police's, if I'm not mistaken) bounty(s) to hunt this guy down either. ALM messed up, own it like a man and pay for the class action lawsuits and compensate your members whose lives are ruined thanks to your crap security instead of sneaking around issuing bounty and looking for vengeance.

Link to comment
Share on other sites

So there's a $500k bounty on the hackers now haha.

Here's some pretty fascinating detective work suggesting one of them is an Aussie living (possibly past tense) in Canada:

http://krebsonsecurity.com/2015/08/who-hacked-ashley-madison/

26
Aug 15

Who Hacked Ashley Madison?

AshleyMadison.com, a site that helps married people cheat and whose slogan is “Life is Short, have an Affair,” recently put up a half million (Canadian) dollar bounty for information leading to the arrest and prosecution of the Impact Team — the name chosen by the hacker(s) who recently leaked data on more than 30 million Ashley Madison users. Here is the first of likely several posts examining individuals who appear to be closely connected to this attack.

zu-launchpad-july-20-580x455.pngIt was just past midnight on July 20, a few hours after I’d published an exclusive story about hackers breaking into AshleyMadison.com. I was getting ready to turn in for the evening when I spotted a re-tweet from a Twitter user named Thadeus Zu (@deuszu) who’d just posted a link to the same cache of data that had been confidentially shared with me by the Impact Team via the contact form on my site just hours earlier: It was a link to the proprietary source code for Ashley Madison’s service.

Initially, that tweet startled me because I couldn’t find any other sites online that were actually linking to that source code cache. I began looking through his past tweets and noticed some interesting messages, but soon enough other news events took precedence and I forgot about the tweet.

I revisited Zu’s tweet stream again this week after watching a press conference held by the Toronto Police (where Avid Life Media, the parent company of Ashley Madison, is based). The Toronto cops mostly recapped the timeline of known events in the hack, but they did add one new wrinkle: They said Avid Life employees first learned about the breach on July 12 (seven days before my initial story) when they came into work, turned on their computers and saw a threatening message from the Impact Team accompanied by the anthem “Thunderstruck” by Australian rock band AC/DC playing in the background.

After writing up a piece on the bounty offer, I went back and downloaded all five years’ worth of tweets from Thadeus Zu, a massively prolific Twitter user who typically tweets hundreds if not thousands of messages per month. Zu’s early years on Twitter are a catalog of simple hacks — commandeering unsecured routers, wireless cameras and printers — as well as many, many Web site defacements.

On the defacement front, Zu focused heavily on government Web sites in Asia, Europe and the United States, and in several cases even taunted his targets. On Aug. 4, 2012, he tweeted to KPN-CERT, a computer security incident response team in the Netherlands, to alert the group that he’d hacked their site. “Next time, it will be Thunderstruck. #ACDC” Zu wrote.

The day before, he’d compromised the Web site for the Australian Parliament, taunting lawmakers there with the tweet: “Parliament of Australia bit.ly/NPQdsP Oi! Oi! Oi!….T.N.T. Dynamite! Listen to ACDC here.”

I began to get very curious about whether there were any signs on or before July 19, 2015 that Zu was tweeting about ACDC in relation to the Ashley Madison hack. Sure enough: At 9:40 a.m., July 19, 2015 — nearly 12 hours before I would first be contacted by the Impact Team — we can see Zu is feverishly tweeting to several people about setting up “replication servers” to “get the show started.” Can you spot what’s interesting in the tabs on his browser in the screenshot he tweeted that morning?

replication-thunder-580x378.png

Twitter user ThadeusZu tweets about setting up replication servers. Did you spot the Youtube video he’s playing when he took this screenshot?

Ten points if you noticed the Youtube.com tab showing that he’s listening to AC/DC’s “Thunderstruck.”

A week ago, the news media pounced on the Ashley Madison story once again, roughly 24 hours after the hackers made good on their threat to release the Ashley Madison user database. I went back and examined Zu’s tweet stream around that time and found he beat Wired.com, ArsTechnica.com and every other news media outlet by more than 24 hours with the Aug. 17 tweet, “Times up,” which linked to the Impact Team’s now infamous post listing the sites where anyone could download the stolen Ashley Madison user database.

timeup-580x363.png

ThadeusZu tweeted about the downloadable Ashley Madison data more than 24 hours before news outlets picked up on the cache.

WHO IS THADEUS ZU?

As with the social networking profiles of others who’ve been tied to high-profile cybercrimes, Zu’s online utterings appear to be filled with kernels of truth surrounded by complete malarkey– thus making it challenging to separate fact from fiction. Hence, all of this could be just one big joke by Zu and his buddies. In any case, here are a few key observations about the who, what and where of Thadeus Zu based on information he’s provided (again, take that for what it’s worth).

Zu’s Facebook profile wants visitors to think he lives in Hawaii; indeed, the time zone set on several of his social media counts is the same as Hawaii. There are a few third-party Facebook accounts of people demonstrably living in Hawaii who tag him in their personal photos of events on Hawaii (see this cached photo, for example), but for the most part Zu’s Facebook account consists of pictures taken from stock image collections and do not appear to be personal photos of any kind.

A few tweets from Zu — if truthful and not simply premeditated misdirection — indicate that he lived in Canada for at least a year, although it’s unclear when this visit occurred.

thad-canada-580x361.png Zu’s various Twitter and Facebook pictures all feature hulking, athletic, and apparently black male models (e.g. he’s appropriated two profile photos of male model Rob Evans). But Zu’s real-life identity remains murky at best. The lone exception I found was an image that appears to be a genuine group photo taken of a Facebook user tagged as Thadeus Zu, along with an unnamed man posing in front of a tattoo store with popular Australian (and very inked) model/nightclub DJ Ruby Rose.

That photo is no longer listed in Rose’s Facebook profile, but a cached version of it is available here. Rose’s tour schedule indicates that she was in New York City when that photo was taken, or at least posted, on Feb. 6, 2014. Zu is tagged in another Ruby Rose Facebook post five days later on Valentine’s Day. Update, 2:56 p.m.: As several readers have pointed out, the two people beside Rose in that cached photo appear to be Franz Dremah and Kick Gurry, co-stars in the movie Edge of Tomorrow).

Other clues in his tweet stream and social media accounts put Zu in Australia. Zu has a Twitter account under the Twitter nick @ThadeusZu, which has a whopping 11 tweets, but seems rather to have been used as a news feed. In that account Zu is following some 35 Twitter accounts, and the majority of them are various Australian news organizations. That account also is following several Australian lawmakers that govern states in south Australia.

Then again, Twitter auto-suggests popular accounts for new users to follow, and usually does so in part based on the Internet address of the user. As such, @ThadeusZu may have only been using an Australian Web proxy or a Tor node in Australia when he set up that account (several of his self-published screen shots indicate that he regularly uses Tor to obfuscate his Internet address).

Even so, many of Zu’s tweets going back several years place him in Australia as well, although this may also be intentional misdirection. He continuously references his “Oz girl,” (“Oz” is another word for Australia) uses the greeting “cheers” quite a bit, and even talks about people visiting him in Oz.

Interestingly, for someone apparently so caught up in exposing hypocrisy and so close to the Ashley Madison hack, Zu appears to have himself courted a married woman — at least according to his own tweets. On January 5, 2014, Zu ‏tweeted:

“Everything is cool. Getting married this year. I am just waiting for my girl to divorce her husband. #seachange

MARRIEDzu-580x76.png

A month later, on Feb. 7, 2014, Zu offered this tidbit of info:

“My ex. We were supposed to get married 8 years ago but she was taken away from me. Cancer. Hence, my downward spiral into mayhem.”

DOWNwardspiral-580x65.png

To say that Zu tweets to others is a bit of a misstatement. I have never seen anyone tweet the way Zu does; He sends hundreds of tweets each day, and while most of them appear to be directed at nobody, it does seem that they are in response to (if not in “reply” to) tweets that others have sent him or made about his work. Consequently, his tweet stream appears to the casual observer to be nothing more than an endless soliloquy.

But there may something else going on here. It is possible that Zu’s approach to tweeting — that is, responding to or addressing other Twitter users without invoking the intended recipient’s Twitter handle — is something of a security precaution. After all, he had to know and even expect that security researchers would try to reconstruct his conversations after the fact. But this is far more difficult to do when the Twitter user in question never actually participates in threaded conversations. People who engage in this way of tweeting also do not readily reveal the Twitter identities of the people with whom they chat most.

Thadeus Zu — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal “We” when discussing the actions and motivations of the Impact Team. I attempted to engage Zu in private conversations without success; he has yet to respond to my invitations.

It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was.

KrebsOnSecurity is grateful to several researchers, including Nick Weaver, for their assistance and time spent indexing, mining and making sense of tweets and social media accounts mentioned in this post. Others who helped have asked to remain anonymous. Weaver has publish some additional thoughts on this post over at Medium.

Link to comment
Share on other sites

who cares what they do in their personal life? Some of the best people I know have made a mess of their personal lives......no bearing on the rest of their lives. Sex is just sex, people need to quit putting it up on a pedastel

It is not just about the sex , it is about trust.

Trust is one of the key ingredients in any relationship , be it with your partner or a friend.

I ask myself if the person is willing to betray the trust of one of the people they are meant to love the most what else are they capable of.

Link to comment
Share on other sites

It is not just about the sex , it is about trust.

Trust is one of the key ingredients in any relationship , be it with your partner or a friend.

I ask myself if the person is willing to betray the trust of one of the people they are meant to love the most what else are they capable of.

Bs

Link to comment
Share on other sites

Bs

Nope, but I find your argument to be.

We have many primal instincts but that doesn't mean you just go for it, without regard of consequences or others.

And it's not about being holier than thou....because your attitude comes off as such quite honestly. It's about looking outside of "self" and our own needs and feelings to include those of others. That's just showing a tendency to be more selfless than selfish. I guess whatever floats your boat, but don't pretend that others have it wrong as a result. Most people tend to think of cheating as dishonest and that's nothing to really brag about or condone.

Even as kids, "urges" are curbed if they involve hurting others...no reason that should change as adults.

When you're hungry, you don't walk into a restaurant from the street and just eat someone's food from their table, despite the urge to eat. You don't just defecate on the sidewalk when you feel the need to go. So we resist urges until we find an appropriate way to attend to them in most instances. Not sure your argument isn't BS.

Link to comment
Share on other sites

While everyone is arguing about the ethics of it all ... Avid Life managed to divert people's attention to the real problem of the website ... :lol::lol:::D::D

Conclusion to the following article

Either way, we’re left with data that suggests Ashley Madison is a site where tens of millions of men write mail, chat, and spend money for women who aren’t there.

From - http://gizmodo.com/almost-none-of-the-women-in-the-ashley-madison-database-1725558944

Almost None of the Women in the Ashley Madison Database Ever Used the Site

What I discovered was that the world of Ashley Madison was a far more dystopian place than anyone had realized. This isn’t a debauched wonderland of men cheating on their wives. It isn’t even a sadscape of 31 million men competing to attract those 5.5 million women in the database. Instead, it’s like a science fictional future where every woman on Earth is dead, and some Dilbert-like engineer has replaced them with badly-designed robots.
Those millions of Ashley Madison men were paying to hook up with women who appeared to have created profiles and then simply disappeared. Were they cobbled together by bots and bored admins, or just user debris? Whatever the answer, the more I examined those 5.5 million female profiles, the more obvious it became that none of them had ever talked to men on the site, or even used the site at all after creating a profile. Actually, scratch that. As I’ll explain below, there’s a good chance that about 12,000 of the profiles out of millions belonged to actual, real women who were active users of Ashley Madison.
Nobody disputed the dramatic gender disparity in the Ashley Madison user base, including the company itself. 5.5 million profiles are marked “female” in a database of roughly 37 million people.
Link to comment
Share on other sites

Bs

Man if you want to hook up with a bunch of people just do that. Don't get into a monogamous relationship. It's pretty easy these days and widely accepted.

But the minute you tell someone you're comitted to them and then you go behind their back and cheat on them, then it becomes a problem due to the dishonesty involved.

Link to comment
Share on other sites

Nope, but I find your argument to be.

We have many primal instincts but that doesn't mean you just go for it, without regard of consequences or others.

And it's not about being holier than thou....because your attitude comes off as such quite honestly. It's about looking outside of "self" and our own needs and feelings to include those of others. That's just showing a tendency to be more selfless than selfish. I guess whatever floats your boat, but don't pretend that others have it wrong as a result. Most people tend to think of cheating as dishonest and that's nothing to really brag about or condone.

Even as kids, "urges" are curbed if they involve hurting others...no reason that should change as adults.

When you're hungry, you don't walk into a restaurant from the street and just eat someone's food from their table, despite the urge to eat. You don't just defecate on the sidewalk when you feel the need to go. So we resist urges until we find an appropriate way to attend to them in most instances. Not sure your argument isn't BS.

Shocking

Link to comment
Share on other sites

While everyone is arguing about the ethics of it all ... Avid Life managed to divert people's attention to the real problem of the website ... :lol::lol:::D::D

Conclusion to the following article

Either way, were left with data that suggests Ashley Madison is a site where tens of millions of men write mail, chat, and spend money for women who arent there.

From - http://gizmodo.com/almost-none-of-the-women-in-the-ashley-madison-database-1725558944

Almost None of the Women in the Ashley Madison Database Ever Used the Site

What I discovered was that the world of Ashley Madison was a far more dystopian place than anyone had realized. This isnt a debauched wonderland of men cheating on their wives. It isnt even a sadscape of 31 million men competing to attract those 5.5 million women in the database. Instead, its like a science fictional future where every woman on Earth is dead, and some Dilbert-like engineer has replaced them with badly-designed robots.

Those millions of Ashley Madison men were paying to hook up with women who appeared to have created profiles and then simply disappeared. Were they cobbled together by bots and bored admins, or just user debris? Whatever the answer, the more I examined those 5.5 million female profiles, the more obvious it became that none of them had ever talked to men on the site, or even used the site at all after creating a profile. Actually, scratch that. As Ill explain below, theres a good chance that about 12,000 of the profiles out of millions belonged to actual, real women who were active users of Ashley Madison.

Nobody disputed the dramatic gender disparity in the Ashley Madison user base, including the company itself. 5.5 million profiles are marked female in a database of roughly 37 million people.

Scam site was scammed.
Link to comment
Share on other sites

The funny thing is, it's likely those posters you'd think are "cheaters" are actually kids who aren't even old enough to date.

Kids are dating as young as toddlers (play dates). Just saiyan.

Link to comment
Share on other sites

Seems a bit of karma in this too..

Ashley Madison Leak Reveals Its Ex-CTO Hacked Competing Site

While Ashley Madison and its parent company grapple with fallout from the recent hack of its network, emails released in the latest hacking leak indicate that the company’s own former CTO may have hacked a competing dating site.

According to an email exchange in November 2012, Ashley Madison’s one-time CTO told colleagues, including the CEO of parent company Avid Life Media, that he had found a security hole in the web site of Nerve.com and used it to exfiltrate the competitor’s entire database. He also indicated that he had the ability to alter records in the database.

“They did a very lousy job building their platform. I got their entire user base,” Raja Bhatia wrote Noel Biderman, CEO of Avid Life Media, Ashley Madison’s parent company, and Rizwan Jiwan, the company’s chief operating officer. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Bhatia had been the founding CTO of Avid Life Media, but was no longer associated with the company at the time he sent the email to Biderman and Jiwan. According to his Angel List page, he was CTO for ALM from 2007 to 2010.

He noted in the email that he had posted a sample of the stolen database to a GitHub account and included a link to the GitHub site, although that post is no longer available online.

Six months later, in May 2013, Biderman discussed whether he should disclose the vulnerability to Nerve.com.

“Should I tell them of their security hole?” he wrote Bhatia. There is no apparent response among the leaked emails.

Although the emails discuss setting up a phone call with Nerve.com, it’s not clear if ALM did disclose the vulnerability.

Neither Avid Life Media nor Bhatia responded to a request for comment from WIRED.

If Bhatia did in fact hack Nerve.com and exfiltrate its database, he could be criminally charged with unauthorized access under the Computer Fraud and Abuse Act. There is also great irony in Bhatia discussing a vulnerability in Nerve.com’s web site, since other emails show that he was aware that AshleyMadison.com had security problems of its own—issues that the Impact Team, which has taken credit for the company’s recent hack, exploited.

“With what we inherited with Ashley[Madison.com], security was an obvious afterthought, and I didn’t focus on it either,” Bhatia wrote in an email in early 2012, months before he disclosed finding the vulnerability in Nerve.com’s web site. “I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials.

In that email, Bhatia was responding to news of another hack that had recently targeted Grindr, a dating app aimed at gay and bisexual men.

Despite an awareness of ALM’s own vulnerabilities, CEO Biderman saw the downfall of competitors as an opportunity to promote himself and his business. “It would be huge if we could get me on as a commentator on this,” Biderman wrote after Snapchat was attacked in 2014.

In 2012, Nerve.com had a dating platform that ALM considered purchasing. Nerve’s CEO was Sean Mills, who had previously been president of The Onion satirical news site and is currently head of original content for Snapchat.

From looking at the emails in the recent data dump, it’s clear that ALM considered buying Nerve. The email chain indicates that ALM began considering the purchase after Rufus Grissom, a VP with Babble.com, sent Biderman an email in June 2012 suggesting it.

“Several years ago I spoke with Glenn Graff about his interest in buying Nerve on behalf of Avid Life,” Griscom wrote. “Not sure where you guys are today, but I think this could be pretty interesting for you to have a look at. Sean has created a very innovative dating platform, and leaving that aside the site has 1.4 million high value, organic uniques (about 50/50 men/women) and there is a lot brand loyalty out there.”

In April, someone else contacted Biderman, asking if he was interested in buying Nerve. He wrote back saying “They reached out to us a couple of times – not sure we are the best buyer for Nerve given what we focus on these days.”

A month later, however, Biderman and others were exchanging emails about Nerve.com and Flirts.com.

“Enclosed are the traffic and audience overviews for the second offering (Nerve.com),” Christian Kalled wrote in an email to Leonard Latchman of LDL. “As for Flirts.com, our working valuation for the URL and non-exclusive TM license is $300,000 USD.”

Latchman wrote back asking about setting up a meeting with “the insurance guys.” That email appeared in a thread in which Lachtman asked about setting up a video call, presumably with Nerve.com. Biderman sent Bhatia a separate email asking, “Should I tell them of their security hole?”

http://www.wired.com/2015/08/ashley-madison-leak-reveals-ex-cto-hacked-competing-site/

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...