Skip to content

Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Image: AP Photo/Lee Jin-man

Probe into Ashley Madison hack finds site's security had 'serious shortcomings'

The report found that the site had also faked a security trustmark, misleading users into thinking it met high security standards.
Aug 24th 2016, 1:02 PM 10,681 8

THE SECURITY MEASURES Ashley Madison took to protect users’ accounts were described as having “serious shortcomings”.

The Australian Privacy Commissioner and the Privacy Commissioner of Canada held a joint investigation into the site and its security measures and found it didn’t have the “appropriate safeguards in place considering the sensitivity of the personal information [it had]… nor did it take reasonable steps in the circumstances to protect the personal information it held”.

The adult dating site, aimed at those who wanted to have an affair, hosted 36 million user profiles at the time it was hacked back in July 2015.

It also used a fake security trustmark to give users the impression its security was verified by an independent third-party.

“Though ALM (Avid Life Media, Ashley Madison’s parent company) had some security safeguards in place, those safeguards appeared to have been adopted without due consideration of the risks faced,” the report said. “As a result, ALM had no clear way to assure itself that its information security risks were properly managed”.

This lack of an adequate framework failed to prevent the multiple security weaknesses described above and, as such, is an unacceptable shortcoming for an organisation that holds sensitive personal information or a significant amount of personal information, as in the case of ALM.

Those examples of poor security practices included only allowing a single factor of authentication (something you know) instead of including a second form of authentication like a code sent to your phone or a fingerprint or retina scan.

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article.

Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

Also, the security measures taken by the company weren’t up to scratch, especially in the area of key and password management. This included the VPN (Virtual Private Network) ‘shared secret’ – a common passphrase used by all VPN users to access a particular network segment – being saved on Google Drive.

This meant that anyone with access to an employee’s account could have potentially discovered it.

Instances where it stored passwords and encryption keys as plain, identifiable text were also found on the systems.

Read: There’s a new version of Android out, but good luck getting your hands on it >

Read: Wicklow man fighting extradition to US over alleged Silk Road connections >

Send a tip to the author

Quinton O'Reilly


    Back to top