Ashley Madison, a website that helps millions of married people cheat on their spouses, has lost a trove of personal and confidential information to hackers who are threatening to release the data of more than 37 million users.
News of the data hack comes at a time when Ashley Madison's parent company has raised its profile by backing a related TV show; its leaders have also discussed a potential $200 million stock offering.
But now Ashley Madison, which operates under the tagline "Life is short. Have an affair," and calls itself "the most famous name in infidelity and married dating," is fighting to keep its customers' information off the Internet, after a group that calls itself The Impact Team posted some of the stolen data online.
The attack was first reported by KrebsOnSecurity, which notes that The Impact Team posted "large caches of data" that were stolen from AshleyMadison.com – including not only information about customer accounts but also banking records and other data about the company itself.
Ashley Madison says it has succeeded in getting that information taken down, after invoking the Digital Millennium Copyright Act. In a statement issued Monday morning, it adds that its "team of forensics experts and security professionals, in addition to law enforcement, are continuing to investigate this incident."
The hackers say the website and its sibling services must be shut down — or they will release "all customer records, profiles with all the customers' secret sexual fantasies, nude pictures, and conversations and matching credit card transactions, real names and addresses, and employee documents and emails."
The message was posted on the hacked website, which has since been restored to its normal appearance. KrebsOnSecurity reports that the hackers were particularly critical of Ashley Madison's "full delete" feature, which charges around $20 to remove a user's records. The service was misleading, the hackers wrote.
Ashley Madison says it has hired a team of IT security and forensics experts to get to the bottom of what it calls an "unprovoked and criminal intrusion" into its systems.
"We're not denying this happened," Noel Biderman, the CEO of Ashley Madison parent company Avid Life Media, told KrebsOnSecurity on Sunday night. He added, "Like us or not, this is still a criminal act."