It was clear after Ashley Madison was hacked, the effects would still be felt for months and years to come.
We’ve just had the latest glimpse of this via a terrifying ransom demand shared with Graham Cluey, a security researcher who has been reporting on the breach.
(Scroll down for the original letter.)
In July 2015, the extra-marital affairs dating website was targeted by unknown hackers, and highly compromising data about its more than 30 million users was subsequently leaked — everything from names to addresses and detailed sexual preferences.
It’s a treasure trove for would-be blackmailers, and multiple customers reported receiving extortion demands sent to email addresses associated with their accounts — threatening to “out” the victims as Ashley Madison users unless they paid a bitcoin ransom.
To be publicly named as a user of Ashley Madison — a site designed to facilitate infidelity — is almost always going to be publicly damaging. But because the dump of Ashley Madison user data is public, there is no guarantee that even if a victim pays up, they won’t be targeted again by someone else.
Graham Cluey has posted on his blog a letter forwarded to him by a reader who was apparently an Ashley Madison member. The reader was sent a letter in the mail by an unknown blackmailer, and demands $2,000 (£1,396), paid in bitcoin. It warns: “If you don’t comply with my demand I am not just going to humiliate you, I am going to humiliate those close to you as well.”
It includes a kind of cautionary tale about another Ashley Madison user who was targeted by the blackmailer but refused to pay up. The blackmailer says they “anonymously contacted his wife, [REDACTED], and told her about [REDACTED]’s membership on Ashley Madison and told her how to confirm it for herself. But I didn’t stop there. l also contacted [REDACTED]’s work colleagues. I also contacted his daughter. And his daughters boyfriend. And I contacted several of his superiors, peers, and subordinates at [REDACTED].”
The letter includes the contact details of this alleged previous victim, but there’s no indication as to whether the story is true or not. Cluey says that when he checked, the bitcoin wallet the letter references had not received any funds.
Here’s the letter:
If you can’t make that out, here’s the full text:
Hello, [redacted], you don’t know me ut I know you very well. As you likely know, the Ashley Madison website was hacked a little while back and in the process some personal information from tens of millions of their clients was compromised. As scary as that sounds, most of their families will never find out. First, they would have to actively seek out the information. Second, the files containing the information are multiple gigabtytes in size and are not all that convenient to access if you don’t know how. There will be some spammers who shoot our mass threatening emails to those on the lists but they can safely be ignored. Only the unlucky few will draw the attention of a true blackmailer willing to actually research a target’s family and acquaintances. Unfortunately, [REDACTED], you are one of the unlucky ones.
Yes, I know about your secret, that you paid for services from a company that specialises in facilitating adultery. But what makes me a threat to you is that I have also spent several days getting to know about you, your family and others in your life. All you have to do in order to prevent me from using this information against you, [REDACTED], is to pay me $2000. And before you ignore this letter consider this: You received this via first class mail. It wasn’t a spam email some Nigerian sent to thousands of people. That means I spent money on it. It means I took extensive counter-forensics measures to ensure the Postal Inspector would not be able to track it back to me via post marks or via prints and DNA. It means I paid cash for a printer that couldn’t be traced back to me. I have spent considerable time and money on you, [REDACTED]. So if you decide to ignore me, you can be certain that I sure as hell won’t ignore you.
The last man to whom I sent a similar letter decided to ignore me. Perhaps he thought I was bluffing. Feel free to contact him yourself if you wish to verify my sincerity. His name is [redacted] and he is a [redacted]. Their website is [redacted]. His phone number, if he hasn’t changed it yet from embarrassment, is [redacted]. He used his office address for his credit card billing on Ashley Madison but I was still able to track down his residential address, at [REDACTED]. From there it was a simple matter to learn that he has a wife named [REDACTED], who works for a [REDACTED]. He has a lovely college-aged daughter named [REDACTED], though she goes by [REDACTED].
So here is what I did when [REDACTED] did not pay up by the deadline.
I of course anonymously contacted his wife, [REDACTED], and told her about [REDACTED]’s membership on Ashley Madison and told her how to confirm it for herself. But I didn’t stop there. l also contacted [REDACTED]’s work colleagues. I also contacted his daughter. And his daughters boyfriend. And I contacted several of his superiors, peers, and subordinates at [REDACTED].
You see, [REDACTED], if you don’t comply with my demand I am not just going to humiliate you, I am going to humiliate those close to you as well.
There was another man to whom I gave the same letter and he chose to pay. I’ll call him “Mr. Wise.” No, that isn’t his real name. I am not going to share any of his information with you or anyone else. Ever. You see, HIS secret is safe with me. And he will never hear from me again.
So the only real question you need to ask yourself is whether you want me to treat you like [REDACTED} or like “Mr. Wise.” That choice is completely yours.
If you do not wish me to destroy your life then send $2000 in BITCOIN to the Receiving Bitcoin Address listed below. Payment MUST be received within 10 days of the post marked date on this letter’s envelope. If you are not familiar with bitcoin, read the attached “How-To” guide. You will need the below two pieces of information when referencing the guide.”
It’s just one small example of the ongoing fallout from the hack. In December 2015, Fusion ran a piece on its after-devastating effects. Kristen Brown wrote that in the four months since customers’ details were released, she has “counted at least three suicides, two toppled family values evangelists, one ousted small-town mayor, a disgraced state prosecutor and countless stories of extortion and divorce. The blast radius of a database dump, it seems, is very large indeed.”