Cyberwar (2016) s01e11 Episode Script

The Ashley Madison Hack

1 A website for cheaters gets hacked.
This hack is one of the largest data breaches in the world.
Private data is leaked online.
My secrets, which are stored on somebody's server somewhere, there's a real chance that they might become public, and that might have real consequences upon my life.
But what motivated the hackers? Who would hack into a company and do a data leak of this magnitude because they feel that they're ripping a customer off? And who's vows were broken? They figured out that there were 70,000 fembots on this site, and they were the women that were doing most of the chatter.
It was a company that embraced controversy from the very beginning.
For years, Toronto-based Avid Life Media was best known for its dating website, Ashley Madison.
The site was promoted as a place for married people looking for casual hook-ups with other married people.
Ashley Madison became really well known for its scandalous services, but also for its provocative ads, like this ridiculous example with an unforgettable jingle.
But in the summer of 2015, Ashley Madison, a site built entirely on the principle of cheating covertly, was hacked and exposed.
Everybody from the FBI and the Canadian Feds got involved, even the local Toronto cops.
On July 12th, when several Avid Life Media employees arrived at work and powered up their laptops, a threatening message popped up on their screens which was accompanied by the song "Thunderstruck" by AC/DC, which was playing.
The company had been hacked by a mysterious group who called themselves the Impact Team.
The hackers demanded that Avid Life Media shut down its sites right away and for good, or they would release customer records, profiles with all the customers secret sexual fantasies, credit card transactions, real names, and company emails.
At the time of the hack, Avid Life, the parent company of Ashley Madison, claimed millions of dollars in annual profits.
On the surface, it's a totally controversial company because it's designed to help people break their marriage vows.
But there's nothing illegal about that.
And it had 5 million members at the time, it was supposedly printing money.
Tom Watson is an investigative reporter who profiled Avid Life for Canadian Business Magazine.
That was back in 2010 when the company was trying to go public, which meant Avid Life Media needed to convince Canadian banks it was a solid investment for their customers.
Financial markets, investment bankers are not the moral compass of society, right? No.
No one looks to them to play that role.
And being a business journalist at the time, I wanted to look at it strictly from the standpoint of what's an investment banker supposed to do.
But, also being a journalist, I decided I should learn a bit more about the company.
So I signed up, and one of the first things I found was that not all women on the site were there just to break wedding vows.
Tom requested an interview with GMP, the lead bank preparing to back Avid Life.
The bankers agreed to chat, and he went to their office on a Friday afternoon.
And they sat down and their key messages were pretty clear.
"You know, Tom, we're an investment bank.
This is a banking opportunity, clear cut.
It's legal, you can make money.
We're bringing it forward to our clients.
" And so I said, "Okay, that's great.
That's what I expected you to say.
I just have one other question.
" And I read this posting that I had found on Ashley Madison from an 18-year-old student who basically said her mother's broke, her dad's a deadbeat, never met him.
She can't afford school, so if you're the kind of guy who wants to help me pay my bills, I can help you in other ways.
And the posting was pretty clear that it was in physical ways.
It's not two people breaking wedding vows.
It's financial gain for one, sex for the other.
And blood drained from the faces of the guys in the room.
At that point they called an end to the meeting.
And I got a call Monday morning, and they said that the deal was dead from their point of view.
Avid Life's lawyers denied the site was designed to promote prostitution.
But the IPO attempts still fell through, and the company still wanted to go public.
But at that point it was common knowledge that investing in Avid Life Media might be risky business.
When the first IPO blew up, it had 5 million members, and they were seen as a significant investment opportunity, but the brokers and deal-makers were afraid of them.
So how do you tackle that problem? Probably the best way to try again is to have more members.
To be even more of a good business case, right? The bigger the investment opportunity, the less people are worried about the risk, right? If you jump forward to when they were hacked, they had something like 37 million members.
In only a few years, Ashley Madison's membership skyrocketed, which in theory should draw in a new set of bankers to back an IPO.
But how had Ashley Madison lured in so many new customers so quickly? - Chris, how you doing? - Hi.
- Nice to meet you.
- Nice to meet you.
Chris Russell is one of the people who signed up for the site, and it really didn't take long for him to become a more than dissatisfied customer.
So out of all the dating sites you could have picked, why'd you pick Ashley Madison? It was a curiosity thing more then anything.
I was separated at the time.
I wasn't looking for a relationship.
Yeah, 'cause what attracted you to their website? - Was it just the fact - It was their advertising.
They made it sound like it was this discreet, active community of people, you know, meeting and hooking up and looking for each other.
And for a guy who's separated and looking for a casual thing, it's Right, you know.
it seems like the right spot to look.
So walk me through exactly what it was like to sign up for it.
It was basically free to set up a profile.
And then a couple days later, even the next day I wanna say, I started getting emails that this girl checked out your profile.
She's interested in you, or you know, you would get different things, and the picture would be blurred.
And if you want to talk to this person, you're gonna have to buy these tokens or credit.
So after a few days of that, I'm like, "Well, this is kind of hot.
Let me see what's going on here.
" Yeah.
So I went ahead and put in my credit card information, bought the tokens, tried to talk to people, but never got any response back.
Did you have any conversation with a real woman? Just once.
Chris is now part of a class action suit that accuses Avid Life Media of fraudulent and deceitful actions.
He's one of the few Ashley Madison users who was willing to put his name on the lawsuit and even appear on camera for us.
Just three months after he closed his account, Ashley Madison got hacked.
The hackers demanded that the parent company shut down its sites immediately and permanently.
That didn't happen, and a month later, the hackers released a message with the heading "Time's Up!" In that message, they claim to have, "explained the fraud, deceit, and stupidity of Avid Life Media and their members.
Now everyone gets to see their data.
" Over the next 5 days, the hackers posted links to download the data in three batches.
This hack is one of the largest data breaches in the world, and is very unique on it's own that it exposed tens of millions of people's personal information.
A third message was received wherein the Impact "Hey Noel, you can admit it's real now.
" In the summer of 2015, a group of hackers struck Avid Life Media, the parent company of Ashley Madison.
After breaking into the database of the dating site for cheating spouses, the hackers dumped a huge trove of embarrassing data.
37 million.
That's how many email addresses hackers may have released that allegedly belong to Ashley Madison customers the website that encourages customers to cheat on a spouse.
Life is short.
Have an affair.
Annalee Newitz is a journalist and author based in San Francisco.
She couldn't wait to get her hands on the Ashley Madison data.
Did that make you feel weird? You have all this personal data? I feel very protective of it.
Like I want to protect those people, and I wanna only understand them as anonymous blips and as patterns.
I wanted to reveal their behaviour only in this super anonymous way.
- It's super sad.
- It is.
You don't want anyone to be hurt by this stuff.
But Annalee's analysis of the data revealed something unexpected, and it wasn't about the people who signed up for the service.
It was starting to look like most of the female members of Ashley Madison were the creations of programmers.
In other words, they were essentially fembots.
So initially I believed, based on looking at the database, that there were basically zero women on the site.
And as the story evolved, and I got more data and looked through it more, it turned out that in fact there were some women.
They had about 5% real women.
But what became very interesting was when I figured out that there were 70,000 fembots on the site, and they were the women that were doing most of the chatter.
Ashley Madison isn't the first site to use fake women.
It's thought to be a widespread industry practice.
US regulators took action against another dating service for doing the same thing, and that company paid hundreds of thousands of dollars to settle the case.
But the sheer epic size of Ashley Madison's bot army dwarfed anything seen before.
So what were these bots actually doing? So Ashley Madison had this problem, which is that they had 95% men on a heterosexual site for hooking up with ladies, right? And so what they would do is they would create fake profiles of women, and then they had software code, bot code, that would bring those profiles to life.
And these bots would send messages and emails to men who had signed up but hadn't yet paid.
And in order to read a message from a woman on the site, you had to pay to have a conversation with what turned out to be just some PHP code saying, "Hey, wanna cyber?" That was one of the things the bots would say.
Said, "Hey, wanna cyber?" Yeah! They're pretty much the simplest, dumbest bots you could possibly imagine.
'Cause you couldn't have like an actual scripted conversation with them, like, "Hey, what's up?" You couldn't even really have a conversation.
I mean, you could respond to them, and then you would have to pay to see their response, and you would just ultimately never get anything.
And what we see in the company emails is that the people running the company knew very well that that was their business model, and that the vast majority of their conversions of unpaid customers to paying members were as a result of a man either contacting a bot or being contacted by a bot.
Alright, so right now we are in the MySQL database with all of the accounts of all the people who signed up for Ashley Madison starting in 2002.
Right here, 10 - so that's the 10th person to ever sign up - was a bot, and that's Sensuous Kitten.
And then their second bot was "sexygal", and "honeybunch" and "princess".
And how are these bots actually made though? Was it just somebody going on a Google image search and snatching pictures of ladies, or like what was it? So they hired a bunch of people to go and actually harvest photos from inactive accounts that had been created by women who joined any number of the Avid Life Media properties.
And they'd take those photos and they'd put them into a new profile, pay women to spend all day typing in fake information into these profiles, and then that would become part of their bot army.
It sort of seemed to me like the ultimate dystopia, because it's a bunch of men in this community who are searching for women.
The men are not allowed to talk to each other, so all of the real humans in the community are prevented from talking to each other and are forced to talk to bots.
And those bots are mostly cobbled together out of the dead accounts of real women.
So it's kind of like a bunch of men in cages talking to zombie robot women, and I can't think of anything more sad then that.
That's a really horrible picture you've just weaved.
It just made me so I was just like Yeah, that might just be the internet.
In the summer of 2015, a mysterious group calling itself the Impact Team hacked Ashley Madison, dumping nearly 10GB of sensitive and revealing data.
Erik Cabetas is a hacker and security consultant based in New York.
The day of the dump, he went straight to work on the data, looking for clues about the identity of the hackers.
I met him at a bar in Brooklyn.
- Hey, how's it going? - Hey, what's up? - Eric.
- Ben.
- Nice to meet you.
- Nice to meet you.
Club Europa, yeah.
Big red door.
It's a really, like, bright, clean-looking place to talk about Ashely Madison.
Yeah, it's So this place used to be an Eastern European club Nice.
where you would hear more Polish than anything else.
That's wicked.
So we don't know how advanced it was to initially get in there, but what they did when they got in there was dump all the emails, all the internal data, everything on the customers.
And that was really the big impact of the Ashley Madison hack.
And who is the Impact Team? Is there any idea? Not me.
So, you know, that's the big question.
Everyone wants to know that.
You, me, the police, everyone wants to know that.
All the data that they leaked were scrubbed and cleaned of meta data.
Everything that they released, they released on anonymous networks, and everything was done through crowdsourced seeding like BitTorrent.
Nobody has found anything, any smoking gun, or even just like a shadow of a fingerprint.
In the wake of the news, reports surfaced that some Ashley Madison users were US government employees, and even members of the military.
This led to speculation that foreign governments could use the data to blackmail or extort US officials.
Florida state attorney Jeff Ashton was the only US government official to publicly admit he used Ashley Madison.
I deeply regret my affiliation with the site, which has caused a great amount of stress and heartache to my wife and children.
What do you think a foreign intelligence agency could do with this? The intelligence community likes to keep data like this private so that they can exploit it themselves.
But once it's out there in the open source world, they tend to not use it as much because it's not that private secret data that they can operationalize and use their capabilities for.
If you're a black hat hacker or some criminal organization doing this for some financial gain, what do you do with the data? Uh, you don't release it publicly.
So if they would have reached out to each individual and said, "We will release all this data and try to extort people en masse, all of the customers of Ashley Madison," that might have been a little bit more of a black hat financial motivation.
So have you ever seen anything like this before in terms of the motivations behind it? If the stated motivation is the actual motivation, if really a hacktivist who wants to keep Western society chaste and good, I've not seen something like this for that goal to this level ever.
Well, then what do you make of Impact Team saying they are pissed off about the fraud that Ashley Madison has been up to? So that's very interesting, because the initial motivation, or the two stated motivations, one being kind of like this, "We don't like what you are doing as a core concept," and the other being, "We don't like that you're making additional money off of pretending to delete people's data.
" The service that they were providing which was a "Full Delete" of all of your personally identifiable information was not actually happening.
The information was still retained in logs and backups and various other things.
Who would hack into a company and do a data leak of this magnitude because they feel that they're ripping a customer off? So you look forward to the day you actually figure out who it is? Um, I do and I don't, because I mean, everyone always gets caught.
It'd be funny just to see somebody not get caught.
After Avid Life Media was hacked, things took a dark turn.
We'll probably never know for sure, but reports surfaced that several Ashley Madison users killed themselves over being exposed.
A pastor in New Orleans specifically cited the hack in his suicide note.
Avid Life's CEO Noel Biderman resigned.
To this day, no one knows who Impact Team is, or if this is the outcome they even wanted.
- Joseph.
- Ben.
How you doing? Joseph Cox is a freelance reporter for Motherboard, VICE's tech and science site that covers cyber-security.
He landed the only published interview with the Impact Team, an email Q&A.
The way it went about is I contacted somebody I'd spoken to before, and I had a feeling they would know how to get in touch with Impact Team.
I asked them for a contact email address.
I reached out to Impact Team, not really expecting them to get back.
They get back fairly quickly.
They refuse to talk on other encrypted channels, like instant messaging or something.
It all has to be done by email.
I fire off a few questions, maybe a dozen or so.
They then reply, and then we just run the article pretty straight after that.
So what are the motivations of these hackers? Well, they claim that they hacked Ashley Madison to expose the website for its fraudulent practices.
The site was running something called a Full Delete feature, where you pay a certain fee, and then the site promises to obviously delete all of your information, because of course it's a quite sensitive site.
They claim that this wasn't happening, and they found evidence of this in the data, and they released it to sort of vindicate these customers.
But it gets a bit hazy, because then in conversations with me, they also describe Avid Life Media, the company that owns Ashley Madison, as feeding drug users, in the same way a drug dealer might feed heroin addicts.
Out of pure speculation, who do you think these people are? I mean, all I can glean is that they were experienced, they were obviously highly motivated they knew what they wanted, and they went to pretty extreme lengths to get it and to embarrass this company.
You know, the one thing that I find interesting about this particular case is that if you look at a lot of the other major hacks, the hackers keep popping up.
What happened to Impact Team? I don't think anybody's come across evidence that Impact Team has struck again.
In the interview, they said that they might come back and hit other companies.
As far as I know, and according to public information, they haven't hit back.
Do you think that this hack did a lot of damage? Like what was the end impact? I think it was a watershed moment or a wake-up call for ordinary people who might've signed up to these services years ago, or they might just use them fairly regularly.
But they probably realized, "Shit," you know, "My secrets which are just stored on somebody's server somewhere, there's a real chance that they might become public, and that might have real consequences upon my life.
" I think it was a real kick in the teeth for just ordinary people.
But the company is still still operating, and months after the hack, Ashley Madison even claimed that there were more customers now.
But considering all the bullshit they had around bots and fake user accounts, I mean, you should seriously take that with a pinch of salt as well.
Avid Life Media is currently being investigated by the US Federal Trade Commission, and still faces a class action lawsuit by former members.
But Ashley Madison is trying to repair its rocky relationship with its customers despite its ongoing legal troubles.
A year after the hack, Avid Life announced it were rebranding with a new name, Ruby, and a new set of commercials for Ashley Madison.
The company denied all our requests to talk about the hack.
And after the relaunch we reached out again for a comment, but they declined.
I guess they're just trying to move on, but Ruby's new CEO has made one thing public: no more fembots.