The hack of adultery website Ashley Madison highlights yet another data breach risk: Blackmail.
A hacker or hackers known as The Impact Team claimed to be behind the attack on Ashley Madison—whose tagline is "Life is short. Have an affair,"—and partner sites Cougar Life and Established Men. According to Krebs on Security, which first reported the breach Sunday, hackers have already published bits of the stolen data, including information on the site's more than 37 million users.
Early Monday, Avid Life Media, the Toronto-based parent company of Ashley Madison, told CNBC it has taken down all the personal information hackers posted online. "Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident and we will continue to provide updates as they become available," Avid Life Media said in an emailed statement.
But in a manifesto excerpted on Krebs on Security, the hackers threatened to release more—including users' sexual fantasies, nude pictures, site conversations and real names and addresses—if Avid Life Media does not shut down Ashley Madison and Established Men. "A significant percentage of the population is about to have a very bad day, including many rich and powerful people," the hackers wrote.
A bad day may be underestimating the potential impact. "You could really ruin someone's life," said Chase Cunningham, threat intelligence chief at cloud-computing company FireHost.
"Without question, this is incredibly valuable information," said J.J. Thompson, founder and chief executive of Rook Security, an IT security firm. "[Site users] are now vulnerable to a significant secret." Even if the information is taken down quickly, it could easily be used as leverage not just for financial gain, but to influence decisions by any of those victims in positions of power, he said.
Average consumers have marginally less to worry about. "Unless you're a really high profile individual … it's pretty unlikely that anyone is going to come and take the time and blackmail you because you used the site," said Geoff Webb, senior director of solution strategy for security management firm NetIQ. "For an individual user, it's embarrassment more than anything."
The bigger risk is that people those users know might search any public information dumps to see if they have friends, co-workers or spouses among the site users. "That would still be a very awkward conversation to have," he said. Use of the site could also come back to hurt consumers in say, divorce or custody proceedings, said Thompson. "Everything is leverageable by the right person who is looking for the right thing," he said.
But even consumers who aren't hunting for affairs online can take a few lessons from this breach, experts say. Notably, "stuff that's online is pretty much not private, no matter what you might hope or think or wish for," said Webb. Old records, like transactions and account details, remain in company databases long after you've deleted an account, he said, because the company needs them for tax and other business purposes.
"There used to be an old saying that everybody ends up naked on the Internet at some point," said Webb. Although that was meant figuratively, consumers should realize that any online activity has the potential to become public.
Consumers also tend to be focused on the financial repercussions, to the extent that in a recent MasterCard survey, 55 percent of people said they would rather have nude pictures of them leaked online than have their financial information stolen. Stolen information can be used in myriad ways, however—a health insurance hack might publicize health conditions or a stint in rehab, for example, while bank breaches could disclose how much credit card debt you have.
"A lot of people are numb to the data breach stuff that's happening, because it's so regular," said Cunningham. "But they're not thinking about the implications of the data that's being taken."