Scammers have found a new way to wring money out of unsuspecting victims of the 2015 breach of the Ashley Madison affair-dating website, by using their stolen credentials in an amped-up version of the common "sextortion" scam.
Researchers at email security company Vade Secure found the new scam earlier this year, when they saw a small number of targeted emails with apparent information from Ashley Madison breach victims. The scam emails seemed to be well researched, with not just the users' email addresses but information like when the victim signed up, their username, and their interests they entered on the site, said Adrien Gendre, chief product officer for Vade Secure.
The threats are a worrying evolution of the sextortion scam because they appear to incorporate real information.
In the most typical version of sextortion, fraudsters make dubious, fictional claims about you via email. They say they've recorded you in a compromising position through your computer or that they have pictures of an alleged affair you are having. In those cases, the criminals blast out thousands of similar-sounding emails in hopes of persuading just one person to fall for the trick and make a requested extortion payment. The recordings and affairs are almost always nonexistent.
But in the new Ashley Madison cases, Gendre said the scammers are using carefully selected information that appear to be from real Ashley Madison subscribers, and piecing that information into more precisely targeted emails to those individuals. The ransomers then demand around $1,000 in bitcoin to keep the information silent. The grain of truth to their pitch sets the scam apart.
Gendre said he's particularly concerned because the Ashley Madison breach affected individuals with corporate and government email addresses, which could make them particularly susceptible to paying the bribe. Vade is not able to observe how many people have paid the attackers, Gendre said.
In July 2015, scammers calling themselves the "Impact Team" stole around 60 gigabytes of personal information from the website, which bills itself as a matchmaking service for married or committed individuals who want to have an affair. The information was later released publicly on the internet.
The scammers claimed they were stealing and releasing the data as retribution against Ashley Madison site owner Avid Life Media, based in Canada, for deceptively using bots to pose as real women on the dating website. An analysis by Gizmodo later revealed that only around 1% of the registered female accounts on Ashley Madison at the time of the breach belonged to active users.
The Ashley Madison breach was unusually psychologically harmful for a cyber-intrusion, given the nature of the site and the consequences to its users. At least three suicides were attributed to the leaked information, two in Canada and one in the United States.
In 2017, Ashley Madison's new owners, Ruby Media, settled a class action lawsuit over the lost personal information for $11.2 million.
If you were in any way affected by the Ashley Madison breach in 2015, first take a deep breath.
The vast majority of users, based on the gender disparity research, almost certainly never met someone with whom they had an affair. The site seems to have been used more as a lighthearted fantasy exercise. But if you are overly concerned about your use of it and how that information may still affect your life, seek the help of a professional. And if you ever have any thoughts of ending your life because of your participation in the site, please call the national suicide prevention hotline at 1-800-273-8255.
Indeed, the new Ashley Madison scammers capitalize on these fears: "FOR ALL YOUR FAMILY AND FRIENDS?" one message reads. "Of all the private massages [SIC] you sent to members, the reply you sent on Sunday July 31, 2011 was the best. Perv!"
"For those who get the email, what they should do is never give in to the trick," Gendre said. "Never pay, whatever the rate. First, because you are not even sure if they will spend the time to release the information. And then, because you may just become a victim again. It's never worth it."
You can also report any attempts at cyber-extortion to the FBI's Internet Crime Complaint Center (known as IC3) or to your police department.