There’s another twist in the tale of the former Ashley Madison executive who allegedly “hacked” a competitor.
Back in August, Raja Bhatia, the founding chief technology officer of the extra-marital affairs dating site who left in 2009, was accused by security blogger Brian Krebs of hacking into rival dating site Nerve.com in 2012.
Ashley Madison was the subject of a separate, larger hack this summer, in which compromising information on tens of millions of customers was published online. It included confidential internal documents and hundreds of thousands of CEO Noel Biderman’s emails.
Krebs reported that these emails included an exchange between Biderman and Bhatia from November 2012. The ex-exec tells the CEO that “nerve’s dating site has a huge security hole,” and was able to gain access to “all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are,” and more. “I would take the emails,” Biderman replied, but Bhatia refused — although he provided a link to what was apparently a Nerve user’s details uploaded to GitHub as an example of the data available.
Krebs ran this story under the headline, “Leaked AshleyMadison Emails Suggest Execs Hacked Competitors” on August 24 — and Bhatia has subsequently threatened to sue him for libel, he revealed in a follow-up post on September 9.
Krebs’ article contains “false and defamatory statements,” according to Bhatia’s lawyer. “Mr. Bhatia did not ‘hack’ Nerve.com. Rather, he noticed a readily apparent security gap and remarked on it to Noel Biderman, Ashley Madison’s CEO, with whom he happened to speak shortly thereafter. At no time did Mr. Bhatia attempt to bypass Nerve.com’s security or to exploit its gap in any way. He did not bulk exfiltrate this data or attempt to alter it.”
Krebs says he is standing by his post, and has “no intention of posting a retraction or correcting any elements of this story.”
First of all, here’s the explanation of Bhatia’s actions that was given by Avid Life Media, Ashley Madison’s parent company (emphasis ours):
In September PTC Advisors, representing Nerve, contacted Noel and provided a more detailed brief on the opportunity [for AM to acquire Nerve]. This communique was followed by a number of conversations. Subsequently Noel contacted Raja Bhatia and asked for his assistance in conducting technical due diligence on the opportunity. This activity, while clumsily conducted, uncovered certain technology shortcomings which Noel attempted to understand and confirm … At no point was there an effort made to hack, steal or use Nerve.com’s proprietary data.
And here’s a quote from the letter sent from Naymark to Krebs (again, emphasis ours):
The post contains the further misleading implication that Mr. Bhatia was reviewing Nerve.com’s security in conjunction with Avid Life Media’s consideration of acquiring Nerve.com. That implication is inaccurate. Mr. Bhatia ceased to work at Avid Life in 2009 and was unaware that Avid Life was considering any acquisition in November 2012.
So Avid Life Media says that Biderman specifically enlisted Bhatia’s help to investigate Nerve as part of “technical due diligence” before a business deal, but Naymark says that’s not the case, and that Bhatia wasn’t “reviewing Nerve.com’s security in conjunction” with any deal.
I asked Naymark about this by email. He told me that his letter “accurately sets out the question,” and that he “cannot comment on why Avid Life initially said otherwise. Perhaps that is a question better directed to the company.” (Avid Life Media has not responded to Business Insider’s request for comment.)
The original email exchange in November 2012 appears to support Naymark’s version of events. Bhatia mentions “Also nerve’s dating site has a huge security hole” at the end of an unrelated email, to which Biderman asks “How did you hear about it.” Bhatia replies that he was “researching the casual dating space as it’s been on my mind. I remembered Nerve relaunched with a slick site and did a little digging into how it worked.”
There is no mention of any “technical due diligence,” or indeed any indication that Bhatia had any idea that a potential business deal was in the works.
But this raises the question as to why Avid Life Media said otherwise when the emails were first highlighted.
Another email exchange, not previously reported on, also appears to discuss Nerve. On January 29, 2014 — more than a year after the first email exchange about the security hole, Nerve was bought by HowAboutWe. Biderman emailed Bhatia with a link to an article on Fortune about the acquisition. The subject line of the email was an apparent question: “still have their database”.
Bhatia replied simply: “Yup”
I asked Naymark whether Bhatia was referring to Nerve’s database. He said that “as set out in the letter Mr. Bhatia did not exfiltrate Nerve.com’s database and never ‘had’ it.” I asked what “database” Bhatia apparently did refer to. “It does not refer to him having possession of any database relating to Nerve.com, which he did not. I cannot comment further.”
Here’s the exchange about Nerve’s acquisition from January 2014:
Here are the original emails between Bhatia and Biderman:
On November 30, 2012, Raja Bhatia signed off an unrelated email to Biderman with the following message:
Also nerve’s dating site has a huge security hole….
What is the security hole? How did you hear about it
Was researching the casual dating space as it’s been on my mind. I remembered Nerve relaunched with a slick site and did a little digging into how it worked. They did a poor job of auditing their site. Have access to all their user records including emails, encrypted password, if they purchased or not, who they talked to, what their search preferences are, last login, fraud risk profile, who they blocked or are blocked from, photo uploads, etc.
Holy moly..I would take the emails…
can’t do it.. want to be able to look my son in the eye one day..
.. but i will tell you how to get them yourself.. someone like luke could figure it quickly
Here is a sample user –
https://gist.github.com/2a308a111d17f7e47976 [Note: This has since been taken offline, apparently by Bhatia.]
Also gives you some insights on how they are handling user engagement/transactional emails/ risk/etc (nothing too special)
Biderman (after apparently attempting himself):
Got an error message…
Biderman then emailed Avid Life Employee Rizwan Jiwan a blank email titled “raja claims there is a security hole on nerve.com“.
Bhatia, included in the email thread, then replies:
They did a very lousy job building their platform. I got their entire user base. Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.
sample: https://raw.github.com/gist/2a308a111d17f7e47976/5d597d7f55ad3714a04b2b28a701f050df30001b/– [Note: This has since been taken offline, apparently by Bhatia.]
Business Insider Emails & Alerts
Site highlights each day to your inbox.