#Open journalism No news is bad news

Your contributions will help us continue to deliver the stories that are important to you

Support The Journal
Dublin: 4°C Thursday 13 May 2021

Probe into Ashley Madison hack finds site's security had 'serious shortcomings'

The report found that the site had also faked a security trustmark, misleading users into thinking it met high security standards.

Image: AP Photo/Lee Jin-man

THE SECURITY MEASURES Ashley Madison took to protect users’ accounts were described as having “serious shortcomings”.

The Australian Privacy Commissioner and the Privacy Commissioner of Canada held a joint investigation into the site and its security measures and found it didn’t have the “appropriate safeguards in place considering the sensitivity of the personal information [it had]… nor did it take reasonable steps in the circumstances to protect the personal information it held”.

The adult dating site, aimed at those who wanted to have an affair, hosted 36 million user profiles at the time it was hacked back in July 2015.

It also used a fake security trustmark to give users the impression its security was verified by an independent third-party.

“Though ALM (Avid Life Media, Ashley Madison’s parent company) had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced,” the report said. “As a result, ALM had no clear way to assure itself that its information security risks were properly managed”.

This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for an organisation that holds sensitive personal information or a significant amount of personal information, as in the case of ALM.

Those examples of poor security practices included only allowing a single factor of authentication (something you know) instead of including a second form of authentication like a code sent to your phone or a fingerprint or retina scan.

Also, the security measures taken by the company weren’t up to scratch, especially in the area of key and password management. This included the VPN (Virtual Private Network) ‘shared secret’ – a common passphrase used by all VPN users to access a particular network segment – being saved on Google Drive.

This meant that anyone with access to an employee’s account could have potentially discovered it.

Instances where it stored passwords and encryption keys as plain, identifiable text were also found on the systems.

Read: There’s a new version of Android out, but good luck getting your hands on it >

Read: Wicklow man fighting extradition to US over alleged Silk Road connections >

About the author:

Quinton O'Reilly

Read next:


This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
write a comment

    Leave a commentcancel