Tech by VICE

Why You Can't Buy Ashley Madison Credit Card Data on the Dark Web

A cybersecurity company is making some wrong claims.

by Joseph Cox
Sep 3 2015, 5:47pm


After the Ashley Madison hack, the CEO of the site's parent company resigned, and criminals started extortion campaigns against users of the site. But, according to one cybersecurity company, crooks might even going so far as to sell credit cards and PayPal accounts from Ashley Madison users on the dark web, despite the dump not containing either of those things.

"Hey GUYS !" an advert allegedly on a dark web forum reads. "I've recently got in a possession of over 100k cc [credit card] data and paypals from Ashled Madison website."

The advert was forwarded to Motherboard by Trustev, a security company that aims to protect banks and merchants from ecommerce fraud, whose CMO, Rurik Bradbury, described the dark web as "a kind of 'Star Wars'" bar of shady characters around the world," in a phone interview with Motherboard.

It's worth remembering that full credit card data was not present in the dump of Ashley Madison customer data. Instead, only the last four digits of a customer's card were included in numerous sheets detailing transactions on the site.

Trustev thinks that the Ashley Madison hack will result in a loss of $480 million

As for how this dark web criminal could possibly be selling data that didn't exist in the dump, Trustev said that the Ashley Madison leak "gives fraudsters a cross-referencing tool to put together pieces with the Home Depot and Target hacks." This, he said, when combined with other information in the dump such as full name and address, would be "enough to start to open lines of credit, things like that."

Bradbury acknowledged that the advert might not be totally legitimate, but added that "it's also inevitable that people will put together the pieces."

When asked how PayPal accounts, which the advert was also showcasing, could have been accessed, Bradbury said "I'm not sure. That seems rather mysterious," as if whipping up physical credit cards from thin air wasn't already magical enough, although Bradbury pointed out that lots of people used shared passwords. (The passwords in the Ashley Madison data were relatively well protected, with the hashing function bcrypt).

In all, based on the 2.4 million pieces of partial credit card data in the dump, Trustev thinks that the Ashley Madison hack will result in a loss of $480 million to banks and merchants, a truly staggering number that has absolutely no evidence to support it.

It's likely that criminals will continue to find ways to exploit the Ashley Madison customer data, and maybe Bradbury is right that it could be used for identity theft. But conjuring one hundred thousand credit cards, from a dump that didn't contain that information, is a truly bizarre claim to make.

Correction: Originally, this article said the $480 million figure was related to consumers. Bradbury clarified that, instead, it was concerning "banks and merchants over a period of time."