A Canadian-owned website for people seeking affairs was recovering from a cyberattack Monday after hackers stole confidential customer information, posted some of it online and threatened to publish all of it unless the company is shut down.
Avid Life Media, which owns Toronto-based cheating site AshleyMadison.com, called the attack an "act of cyberterrorism" and vowed to hold those behind the hack responsible for their actions.
"We apologize for this unprovoked and criminal intrusion into our customers' information," the company said in a statement. "We have always had the confidentiality of our customers' information foremost in our minds, and have had stringent security measures in place."
Demands from alleged hackers
Ashley Madison, whose slogan is "Life is short. Have an affair," claims it has more than 37 million members around the world.
While its site appeared to be working normally Monday morning, an online security blog, KrebsOnSecurity.com, posted what appeared to be a screenshot of the site's home page late Sunday bearing a message from those allegedly behind the hack.
"We are the Impact Team. We have taken over all systems in the entire office and production domains, all customer information databases, source code repositories, financial records, emails," the message said, according to Krebs, before going on to demand that Ashley Madison, as well as another Avid Life Media site — EstablishedMen.com — be shut down.
"Shutting down AM and EM will cost you, but non-compliance will cost you more," the message said. "We will release all customer records, profiles with all customers' secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails."
Avid Life denies 'paid-delete' allegations
Whoever hacked the sites claimed they did so to expose alleged lies Ashley Madison told customers about a service that allows members to erase profile information for a $19 fee, Krebs reported.
But Avid Life said the allegations about the "paid-delete" option on Ashley Madison were false.
"The 'paid-delete' option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity," it said. "The process involves a hard-delete of a requesting user's profile, including the removal of posted pictures and all messages sent to other system users' email boxes."
The company said it was offering its full-delete option free to any member in light of the cyberattack and noted that it was taking "every possible step towards mitigating the attack."
"Our team has now successfully removed all the posts related to this incident as well as all personally identifiable information about our users published online," the company said. "Our team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident."
The Ashley Madison breach comes about two months after dating site AdultFriendFinder.com suffered a cyberattack.