Extramarital dating site Ashley Madison has been hacked, with millions of users' information potentially at risk of exposure.
Ashley Madison, whose tagline is "Life is short. Have an affair," is a dating website for married people. Claiming to have over 37 million members, the service was launched in 2001 and is owned by Avid Life Media, a Toronto-based company that also owns CougarLife.com and EstablishedMen.com. The data breach comes less than two months after similar website.
"We were recently made aware of an attempt by an unauthorized party to gain access to our systems," Avid Life Media said in a statement published today.
"At this time, we have been able to secure our sites, and close the unauthorized access points," the company said. "We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber-terrorism will be held responsible."
Security blogger Brian Krebs, who revealed the hack, reported that the breach is the work of a hacking group dubbed The Impact Team, who are said to have taken issue with an Ashley Madison feature that lets customers only fully delete their data if they pay a fee. The hacking group reportedly alleges that Avid Life Media doesn't delete this information as promised, but keeps a record.
The hacking group is reportedly threatening to publish stolen customer records, including real names, addresses and credit card transactions -- as well as internal documents and emails -- unless Ashley Madison and EstablishedMen.com are taken offline.
In its statement, Avid Life Media apologises for the breach, writing, "The current business world has proven to be one in which no company's online assets are safe from cyber-vandalism."
Ashley Madison was one of several dating sites criticised in 2012 in an Electronic Frontier Foundation report, which took aim at the site's privacy and security practices.
What can customers of dating sites do to protect themselves online? "You could use a burner email address rather than your regular personal one or one that identifies your place of work," security expert Graham Cluley said.
"But if you have used your credit card on such a site there is always the risk that they have not properly protected your real name and address," he warned. "Maybe it would be safer if such sites offered broader anonymity, for instance offering users to pay them through digital currency."