Leaked emails in the Avid Life data breach suggest the site's CEO was more than happy for employees to steal emails from rival companies.
Ashley Madison may have had a taste of its own medicine this month, judging by a cache of leaked emails which suggest the CEO of the site encouraged the hacking of rival firms.
The discreet encounters website, owned by Avid Life Media (ALM), suffered a high-profile data breach in July. A hacking group called Impact Team took responsibility for the cyberattack and has subsequently released large caches of stolen user and corporate data online.
As reported by Motherboard, the latest file dump includes alleged internal emails relating to the CEO of Avid Life Media, Noel Biderman. The emails suggest that after discovering a serious security vulnerability in rival site Nerve, the founding chief technology officer Raja Bhatia was encouraged to exploit the flaw.
In November 2012, a casual message seen by the publication between the executives relates to a "huge security hole" discovered by Bhatia. Nerve.com, once a dating service, captured the interest of Biderman, who asked for additional details.
After exploring further, the CTO found he had access to a massive amount of user data, saying within an email:
"They did a poor job of auditing their site. Have access to all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login, fraud risk profile, who they blocked or are blocked from, photo uploads, etc."
In response, Biderman said, "Holy moly..I would take the emails...," however, Bhatia was not interested in infiltrating the site further and stealing content, reportedly saying he "want[ed] to be able to look my son in the eye one day."
While unwilling to do it himself, the executive did demonstrate to Biderman how to exploit the security hole, in addition to a GitHub post containing the allegedly stolen data of a Nerve user. It is unknown whether Nerve.com was informed of the vulnerability.
See also: Ashley Madison hack: A savage wake-up call which is only the beginning
Speaking to the publication, an Avid Life Media representative said the comments were taken out of context, and at "no point was there an effort made to hack, steal or use Nerve.com's proprietary data." Instead, while considering strategic partnerships between Nerve and ALM, Biderman asked for Bhatia's help in "conducting technical due diligence on the opportunity." The spokesman said:
"This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm."
According to security expert Brian Krebs, a selection of documents now released online by Impact Team include a 100-page movie script written by Biderman and personal data belonging to the CEO such as a scanned copy of his driving license, personal checks, bank account numbers and a home address.
ALM has offered a $500,000 reward for information leading to the arrest of the Impact Team. However, considering the class-action lawsuit already levied against the company and two suicides believed to be related to the data breach so far, it remains to be seen whether anything will be left in the company coffers to offer informants.