Ashley Madison may be at the centre of the world's most high profile massive data breach, but emails that have just emerged indicate that the company's former chief technology officer Raja Bhatia may have in fact hacked into a competitor's website.
And that is not all. The ex-founding CTO had apparently said in leaked emails that he was aware that AshleyMadison.com had security problems, noting that "security was an obvious afterthought".
Krebs on Security said that leaked emails from the company's Chief Executive Officer Noel Biderman indicate that at least on one occasion, Bhatia sent a message to Biderman, informing him of a security hole in nerve.com, an US online magazine dedicated to sexual topics, relationships and culture.
Nerve.com was at that time experimenting with its own adult dating section and Bhatia claimed he had uncovered a way to download and manipulate the websites's user database.
"They did a very lousy job building their platform. I got their entire user base," Bhatia told Biderman. He also included a link to a Github archive with a sample of the database, Krebs on Security said.
"Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc."
Neither Bhatia nor Biderman could be immediately reached for comment, KrebsOnSecurity.com said.
Apparently, more than six months after Bhatia highlighted the weakness in nerve.com's site, Biderman was set to meet with several representatives of the company. "Should I tell them of their security hole?" Biderman asks Bhatia in a email but no reply appeared to have been given. It is also unclear if the security hole was disclosed to nerve.com.
The cache of emails leaked from Biderman runs from January 2012 to 7 July 2015, less than two weeks before the attackers announced their hacking of the infidelity website on 19 July.
Wire, which also reported on the emails, noted that Bhatia was no longer associated with the company when he sent the email on nerve.com to Biderman and the company's chief operating officer Rizwan Jiwan.
It noted that if Bhatia did in fact hack into a competitor's webiste, he could be criminally charged with unauthorised access under the Computer Fraud and Abuse Act.
It noted the irony given that other emails indicated that Bhatia was aware of AshleyMadison's security issues as well.
"With what we inherited with Ashley[Madison.com], security was an obvious afterthought, and I didn't focus on it either. I am pretty sure we stored passwords without any cryptography so a database leak would expose all account credentials," Bhatia said in an email in early 2012, months before highlighting nerve.com's weaknesses.
Wire said that AshleyMadison.com's parent company, Avid Life Media had in 2012, considered buying nerve.com's dating platform