Ashley Madison, an online dating service for married individuals seeking cheating partners, was hacked and sensitive information about its customers and employees was released, parent company Avid Life Media said Monday.
In a statement, the Toronto-based ALM apologized "for this unprovoked and criminal intrusion into our customers' information."
The company said it was able to secure their sites and close the unauthorized access points with the help of "one of the world's top IT security teams." It also removed all "Personally Identifiable Information (PII)" about its users published online. The attack is being investigated by law enforcement agencies, the company added.
Sensitive personal and financial information of Ashley Madison's users and employees was released online by a hacker or a group of hackers, who identified themselves as The Impact Team, Krebs on Security reported. Data from two other ALM dating sites, Cougar Life and Established Men, was also released.
Ashley Madison, which describes itself as "the most famous name in infidelity and married dating," purportedly has more than 37 million customers.
The hackers released the account data of some random users from ALM's three hookup sites, along with the bank account and salary information of its employees.
In an online post, the Impact Team threatened to release all customer records — including their profiles — detailing their "secret sexual fantasies and matching credit card transactions, real names and addresses," as well as employee documents and emails unless ALM took Ashley Madison and Established Men offline permanently, Krebs on Security reported.
The Impact Team said the hack was a response to "a complete lie" ALM allegedly told its customers, referring to its "full delete" feature that offers Ashley Madison members to permanently erase all of their history and personal information from the site for a $19 fee.
The manifesto, published in part by Krebs on Security, said:
"Full Delete netted ALM $1.7mm in revenue in 2014. It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."
Responding to the hackers' allegations, Ashley Madison insisted its "paid-delete" option did a hard delete of a requesting user's profile and all pictures and messages sent to other users' inboxes.
The company said it would now offer the full-delete option free to any member, "in light of today's news."
The hackers apologized to Mark Steele, the company's director of security: "You did everything you could but nothing you could have done could have stopped this." That supported Avid Life Media's CEO's suggestion that the hack was done by someone who had access to the company's servers at some point.
Ashley Madison, which has a "Trusted Security Award" listed on its website, said that the attack had occurred "despite investing in the latest privacy and security technologies."
In a similar attack in May, a hacker broke into online dating site Adult FriendFinder and exposed personal information of about 3.5 million users, including their sexual preferences and fetishes.