Hacking is all the rage now. The fallout from the embarrassing Ashley Madison hack is still not over and news of a huge breach just reached mainstream news. Apparently, 97 other dating websites have been compromised, PC World reported yesterday.
Most of the websites are niche dating sites similar to Ashley Madison but do not compare to both the scale and extent of the breach. The Ashley Madison hack brought to the public the details of 30 million users, internal documents, email exchanges, and company information.
However, there is a big difference. These latest hacks were not perpetrated by Impact Team who holds a moral grudge against Avid Life Media, Ashley Madison's parent company, and its former CEO Noel Biderman, in particular.
The Ashley Madison hacks were clearly motivated by something else other than financial gain. These new hacks, on the other hand, point to the monetization of these efforts.
Hold Security, headed by Alex Holden, its founder and CTO, said that he came across batches of information on these hacks when his analysts saw them in an unsecure server which did not even have password protection. This obviously allowed easy analysis of its contents.
A list of websites, together with their software vulnerabilities, was included in the information that Hold Security found. They also found notes that were written in Russian which Holden could read as he is a native Russian speaker.
He mentioned that many of the compromised sites have a database flaw that allows hackers unauthorized access to information stored in the servers. These vulnerabilities are known as SQL injection flaws.
IDG News Service has a copy of the list of websites but is not identifying them. Holden's security firm routinely comes across information like this but does not have enough resources to contact each and every one of the victims.
Holden's analysis shows that the hackers have not yet tried to sell off the data. Email lists and, for some sites, unencrypted passwords were collected. This pales in comparison with the Ashley Madison data dump which included user preferences, GPS locations, birth dates, etc. However email lists can still be sold off to spammers who willingly purchase this data to threaten DDoS attacks or even ransom.
