Advertisement

Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Monday 11 December 2023 Dublin: 10°C
AP Photo/Lee Jin-man
no protection

Probe into Ashley Madison hack finds site's security had 'serious shortcomings'

The report found that the site had also faked a security trustmark, misleading users into thinking it met high security standards.
8
10.7k
Aug 24th 2016, 1:02 PM

THE SECURITY MEASURES Ashley Madison took to protect users’ accounts were described as having “serious shortcomings”.

The Australian Privacy Commissioner and the Privacy Commissioner of Canada held a joint investigation into the site and its security measures and found it didn’t have the “appropriate safeguards in place considering the sensitivity of the personal information [it had]… nor did it take reasonable steps in the circumstances to protect the personal information it held”.

The adult dating site, aimed at those who wanted to have an affair, hosted 36 million user profiles at the time it was hacked back in July 2015.

It also used a fake security trustmark to give users the impression its security was verified by an independent third-party.

“Though ALM (Avid Life Media, Ashley Madison’s parent company) had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced,” the report said. “As a result, ALM had no clear way to assure itself that its information security risks were properly managed”.

This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for an organisation that holds sensitive personal information or a significant amount of personal information, as in the case of ALM.

Those examples of poor security practices included only allowing a single factor of authentication (something you know) instead of including a second form of authentication like a code sent to your phone or a fingerprint or retina scan.

Also, the security measures taken by the company weren’t up to scratch, especially in the area of key and password management. This included the VPN (Virtual Private Network) ‘shared secret’ – a common passphrase used by all VPN users to access a particular network segment – being saved on Google Drive.

This meant that anyone with access to an employee’s account could have potentially discovered it.

Instances where it stored passwords and encryption keys as plain, identifiable text were also found on the systems.

Read: There’s a new version of Android out, but good luck getting your hands on it >

Read: Wicklow man fighting extradition to US over alleged Silk Road connections >

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

Support us Learn More

Author
Quinton O'Reilly
quinton@thejournal.ie
@qoreilly
Send Tip or Correction
Read Next
More Stories
Related Tags
Your Voice
Readers Comments
8
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.