The digital innards of the extramarital dating site Ashley Madison, and its parent company Avid Life Media, are allegedly spewed all over the dark web for anyone to see. But according to an internal document, the company was already very paranoid about the possibility of being hacked and its customer details being dumped online, as well as a number of other potential threats.
In a file called "Areas of concern – customer data.docx," an unnamed employee at the company apparently lists technical issues that could lead to a data breach occurring, as well the legal problems that may come with that.
Under a section called "Data leak/threft issues [sic]," the author lists customer data being exposed by phishing or SQL injection being a possible problem, when malicious requests are punched into an entry field, typically in order to dump the site database. Another worries about remote code execution—when an attacker can run code on a victims computer over the internet—and one more points to employees being infected with malware, "allowing hackers access to our user data."
Finally, the document raises concerns over possible man-in-the-middle attacks, meaning that attackers could gather the company's credit card information.
It's not just stealing that Ashley Madison was paranoid about. It's also whether its customer data might be altered, or that malicious code could be directed against its users.
The other problems are mostly to do with potential downtime of the site's services, through errors or crashes, or even "Natural disaster leading to site outage."
It's important to point out that the document doesn't seem to say that any of these problems do indeed exist on AshleyMadison.com, or any other of the Avid Life Media sites, or that these were any of the methods used by the hackers who breached the company. Instead, it looks more like a check list for potential problems.
Another section details what someone might do if any of these problems did exist, or if the site did find itself the target of attackers. A "bad actor" creating accounts and crawling the site for user information is one, an employee running off with data and using it to blackmail is another. The document also points out that if a third party billing partner was hacked, it might lead to a compromise of Ashley Madison's own user data.
Finally, the author is worried about "A hacker or bad actor gaining access to our customer service gmail credentials gaining access to customer data."
As for what might come from all of this, one bullet point listed under "Legal/Compliance" cites "a data leak resulting in a class action lawsuit against us."
IAt this time, although Avid Life Media previously admitted that it had been hacked, the company has not yet confirmed that authenticity of these newly released documents. Ashley Madison did not immediately respond to a request for comment. (The company did issue a copyright takedown request related to the data, however, which would suggest it's real.)
Regardless, journalists, researchers, and undoubtedly criminals are poring over the data, which is now being hosted on multiple sites. The full fallout of the hack remains to be seen, but it's hard to imagine how anyone could trust Ashley Madison to keep their secrets, if the company can't look after its own.