A former Ashley Madison executive is threatening to sue tech blogger Brian Krebs for libel over a story published after the notorious dating site was hacked and huge troves of customer data and internal documents were leaked online, Krebs says.
Hundreds of thousands of emails apparently belonging to CEO Noel Biderman were included in one of the data dumps. Included in these emails are a number of exchanges between Biderman and Raja Bhatia, the founding chief technology officer of the extra-marital affairs dating site.
On August 24, independent security blogger and journalist Brian Krebs published a story on his site titled “Leaked AshleyMadison Emails Suggest Execs Hacked Competitors.”
Bhatia, who his lawyer says left Avid Life Media in 2009, denies the claims in the story, and a previous statement from Avid Life Media claims he was merely conducting legitimate research or “technical due diligence” on a company Ashley Madison was considering acquiring. However, a letter from Bhatia’s lawyer says that the “implication that Mr. Bhatia was reviewing Nerve.com’s security in conjunction with Avid Life Media’s consideration of acquiring Nerve.com” is “inaccurate.”
Krebs reported that in November 2012, Bhatia told Biderman that after some “digging,” he had discovered a “huge security hole” in the website of competitor Nerve.com. When asked for more details, the ex-CTO said that he had “access to all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login, fraud risk profile, who they blocked or are blocked from, photo uploads, etc.”
Ghatia also linked to a GitHub page that contained “the allegedly stolen data of a Nerve user,” according to Motherboard’s Joseph Cox. Business Insider was not able to verify this — the page has since been deleted — but Cox says when he accessed it “the data was still live and the page looked legitimate.” Business Insider has seen all the emails quoted by Krebs in his original story.
Bhatia went on to explain that Nerve.com apparently “did a very lousy job building their platform,” and that he “got their entire user base. Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”
Numerous other journalists subsequently followed this story up, including Kim Zetter at Wired, and me here at Business Insider. (I have not been contacted by Bhatia’s lawyers as of yet, and we’re waiting for a response from Nerve.)
Bhatia’s lawyer Daniel Naymark has since written to Krebs, asserting that his article “contains false and defamatory statements” about his client, and demanding that the journalist “immediately retract and correct.”
The letter goes on (emphasis ours):
Contrary to the express statement in the article’s title and the suggestion in its body, Mr. Bhatia did not “hack” Nerve.com. Rather, he noticed a readily apparent security gap and remarked on it to Noel Biderman, Ashley Madison’s CEO, with whom he happened to speak shortly thereafter. At no time did Mr. Bhatia attempt to bypass Nerve.com’s security or to exploit its gap in any way. He did not bulk exfiltrate this data or attempt to alter it, as implied by the selective quotes from his emails included in your post.
Krebs writes that he has “no intention of posting a retraction or correcting any elements of this story.”
In a previous statement, Ashley Madison’s parent company Avid Life Media framed Bhatia’s actions as “due diligence” relating to a potential business partnership between the two companies (emphasis ours):
In September PTC Advisors, representing Nerve, contacted Noel and provided a more detailed brief on the opportunity. This communique was followed by a number of conversations. Subsequently Noel contacted Raja Bhatia and asked for his assistance in conducting technical due diligence on the opportunity. This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm … At no point was there an effort made to hack, steal or use Nerve.com’s proprietary data.
But the letter from Bhatia’s lawyer describes the “implication that Mr. Bhatia was reviewing Nerve.com’s security in conjunction with Avid Life Media’s consideration of acquiring Nerve.com” as “misleading” and “inaccurate.” It says that Bhatia — who left the company in 2009 but apparently stayed in touch with Biderman — did not work for Avid Life Media at the time of the alleged incident. He “was unaware that Avid Life was considering any acquisition,” the lawyer says.
Business Insider has reached out to Avid Life Media and Daniel Naymark for comment, and will update this story when they respond.
Here’s the full email exchange between Bhatia and Biderman:
On November 30, 2012, Raja Bhatia signed off an unrelated email to Biderman with the following message:
Also nerve’s dating site has a huge security hole….
What is the security hole? How did you hear about it
Was researching the casual dating space as it’s been on my mind. I remembered Nerve relaunched with a slick site and did a little digging into how it worked. They did a poor job of auditing their site. Have access to all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login, fraud risk profile, who they blocked or are blocked from, photo uploads, etc.
Holy moly..I would take the emails…
can’t do it.. want to be able to look my son in the eye one day..
.. but i will tell you how to get them yourself.. someone like luke could figure it quickly
Here is a sample user –
https://gist.github.com/2a308a111d17f7e47976 [Note: This has since been taken offline, apparently by Bhatia.]
Also gives you some insights on how they are handling user engagement/transactional emails/ risk/etc (nothing too special)
Biderman (after apparently attempting himself):
Got an error message…
Biderman then emailed Avid Life Employee Rizwan Jiwan a blank email titled “raja claims there is a security hole on nerve.com“.
Bhatia, included in the email thread, then replies:
They did a very lousy job building their platform. I got their entire user base. Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.
sample: https://raw.github.com/gist/2a308a111d17f7e47976/5d597d7f55ad3714a04b2b28a701f050df30001b/– [Note: This has since been taken offline, apparently by Bhatia.]
Business Insider Emails & Alerts
Site highlights each day to your inbox.