Ashley Madison hack: Former executive of infidelity website 'accessed rival firm's database'

Raja Bhatia 'told colleagues' that he had found a security hole in Nerve.com

Click to follow
The Independent Tech

A former Ashley Madison senior executive allegedly accessed a rival dating firm's database, including its complete list of users, according to US media reports of emails released in the latest hacking leak surrounding the adultery website.

Emails reportedly sent from its founding Chief Technology Officer, Raja Bhatia, told colleagues that he had uncovered a security hole in Nerve.com, an American online magazine dedicated to sexual topics, relationships and culture, and used it to access the competitor’s entire database. Mr Bhatia also reportedly suggested he had the ability to download and manipulate records in the database.

“They did a very lousy job building their platform. I got their entire user base,” Mr Bhatia is alleged to have emailed Noel Biderman, CEO of Ashley Madison’s Canadian-based parent company Avid Life Media (ALM) and Rizwan Jiwan, the company’s Chief Operating Officer in November 2012.

The email is further alleged to claim: “Also, I can turn any non-paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

In May 2013, Mr Biderman reportedly asked whether he should tell the rival company about their vulnerability.

“Should I tell them of their security hole?” he emailed Mr Bhatia whose response, if he gave one, is not among the leaked emails. It is unclear if ALM did disclose the vulnerability.

The Independent has approached Mr Bhatia, who was CTO from 2007 to 2010, and Avid Life Media for comment.

The purported emails from Mr Biderman run from January 2012 to 7 July 2015 — less than two weeks before hackers calling themselves the Impact Team publicised their infiltration with a warning to ALM it had one month to take down its infidelity websites. The hackers released details of 37 million Ashley Madison customer accounts last week in the first wave of an enormous data dump published on the ‘dark web’.

Toronto Police revealed at the weekend Ashley Madison employees discovered the breach on 12 July when they turned on their computers only to find their screens filled with a diatribe from the Impact Team with AC/DC’s Thunderstruck playing in the background.

Ashley Madison has refused to confirm the legitimacy of the hacked data. It condemned the “criminal breach” and has offered a $500,000 reward for information leading to the arrest and prosecution of those responsible. Two recent suicides have been linked to the hacking while at least five law suits have been filed by customers seeking more than $500m damages for “emotional distress” suffered.

In a statement given to Vice, ALM said that the Biderman emails were “taken out of context” and that the interpretation that Mr Bhatia had hacked Nerve was “incorrect and unfortunate”.

It said: “Nerve was exploring strategic partnerships in May of 2012 and reached out to Noel to determine Avid Life Media’s interest in the property. At the time Noel did not act on that opportunity. In September PTC Advisors, representing Nerve, contacted Noel and provided a more detailed brief on the opportunity. This communique was followed by a number of conversations. Subsequently Noel contacted Raja Bhatia and asked for his assistance in conducting technical due diligence on the opportunity.

“This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm. At no point was there an effort made to hack, steal or use Nerve.com’s proprietary data.”

Brian Kerbs, the IT security expert who revealed the Ashley Madison hack, wrote on his blog: “As bad as this breach has been for Ashley Madison and its millions of users, it’s likely nowhere near over.”

He cited further “sensitive information” within Mr Biderman’s email inbox including a 100-page movie script he co-wrote called ‘In Bed With Ashley Madison’ and his income statements from the last four years.

The Impact Team has also not yet released data from Establishedmen.com, the other ALM adult dating website property it claims to have hacked. It describes itself as a “sugar daddy” site connecting wealthy men with willing young women.

Comments