Hackers are threatening to publish the highly personal details of up to 36 million people who use the cheating website Ashley Madison.
The hacker, who calls himself The Impact Team, breached the internal systems of Canadian company Avid Life Media (ALM) which owns Ashley Madison as well as similar sites Cougar Life and Established Men.
The breach occured over the weekend and was first reported by security researcher Brian Krebs after the hackers posted a manifesto online alongside a random sample of the Ashley Madison database and a map of the company's internal server network.
Impact Team published some 40MB of data to prove its claim that it had breached ALM's security, including details of employee network account information, company bank account data, and salary information, alongside the details of Ashley Madison's customers.
The hacker has threatened to publish more customer information on a daily basis unless ALM takes its websites offline "in all forms". The manifesto continues:
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
The reason the hacker, who is believed to have worked with ALM at some point, carried out the attack is the company's Full Delete product which offers customers a way to wipe away evidence of them having used the company's websites for $19 (£12.20), a service which the hacker claims earned ALM $1.7m in 2014 despite the service not doing what it promises:
"Full Delete netted ALM $1.7m in revenue in 2014. It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."
ALM has confirmed the security breach, telling Krebs that it is working hard to remove the customer data from the web and its CEO Noel Biderman believes the company has already identified the person behind the attack:
"We're on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication," Biderman told Krebs. "I've got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services."
The attack on Ashley Madison comes just weeks after a similarly high-profile attack on sex community website Adult FriendFinder which saw the intimate sexual preferences of 4 million customers being traded on the dark web.
Update: Ashley Madison has now published a full statement, confirming the attack and adding that it has shut off the vulnerability which allowed the hacker to gain access:
We were recently made aware of an attempt by an unauthorised party to gain access to our systems. We immediately launched a thorough investigation utilising leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.
We apologise for this unprovoked and criminal intrusion into our customers' information. The current business world has proven to be one in which no company's online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.
We have always had the confidentiality of our customers' information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.
Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. "I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business," Eriksson said.