Ashley Madison hack: Data for removed profiles 'remains in leaked database' despite $19 delete fee
As details about 37 million users of adultery website Ashley Madison emerge from a hack, many are looking to check whether the site's $19 "delete everything" service worked. The site was hacked more than a month ago by a group called Impact Team, who wanted it and others run by parent company Avid Life Media (ALM) shut down.
Details of the site's 36m users — including email addresses, home addresses, and other identifiers — were dumped in a 9.7-gigabyte data file 19 August after those demands were not met. "No current or past members' full credit card numbers were stolen from Avid Life Media," the firm said in a statement.
Now a slide found in those files reveals the firm made $1.7m (£1m, €1.5m) in 2014 from its "full delete" service. For $19 the service promised customers to "remove all traces" of their usage of the site. The value calculated by the company shown in the "strictly confidential" slides suggests roughly 90,000 users paid for the service last year.
"Users of the service want full discretion" it reads. "They can pay to eliminate any trace of themselves from the site." Impact Team, however, indicates that remnant details of deleted profiles can still be found in amongst the other active profiles in the data release.
"Full Delete netted ALM $1.7m in revenue in 2014. It's also a complete lie," Impact Team wrote in a note posted online. "Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."
Yet in a question and answer session posted on Reddit on 20 July following the announcement of the hack, a former ALM employee denies any trace of the data was left after customers used the full delete service.
"The whole reason the Full Delete option was introduced is because simply deleting your profile didn't remove your information from our back end," wrote the former employee. "If someone purchases the Full Delete option, we had NO record of them in our system. It was literally like you never existed on the site or our back end."
In an interview with former Washington Post staffer, turned security blogger, Brian Krebs on 15 July, Ashley Madison CEO Noel Biderman said he believes the hack is an inside job. "It was definitely a person here that was not an employee but certainly had touched our technical services," he said. "We're on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication. I've got their profile right in front of me, all their work credentials".
Biderman said on 18 August that ALM's investigation is still ongoing and that the company is cooperating with the FBI and Canadian police forces.
© Copyright IBTimes 2024. All rights reserved.