Skip to content
Naked Security Naked Security

Ashley Madison to be probed by FTC

Life is short. Have an affair... with a fembot?

Let’s say you were a cheaters’ dating site that didn’t bother to close simple holes in your Linux-based servers and suffered a massive hack that left your customers facing blackmail.

How do you regain credibility?

I don’t know, but revelations that you used fembots to lure in paying men probably won’t help matters much.

In the first interview that senior management have given since the breach, the new-as-of-April management at Ashley Madison parent company Avid Life Media have told Reuters that the company’s now been hit with a probe from the US Federal Trade Commission (FTC).

Avid doesn’t actually know what the focus is of the FTC investigation. When Reuters asked about Ashley Madison’s use of so-called fembots – computer programs that impersonated real women to strike up conversations with paying male customers – Segal told the news outlet that the issue is…

… a part of the ongoing process that we’re going through … it’s with the FTC right now.

The Ashley Madison site’s slogan was “Life is short. Have an affair.”

Now, money’s short, and Avid’s having to apologize.

Current Avid CEO Rob Segal and President James Millership told Reuters that the company lost more than a quarter of its revenue in the aftermath of the breach.

The devastating attack happened a year ago.

It meant saying goodbye, supposedly “discreet” e-handling of adulterers’ hook-ups; hello, subsequent exposure of email addresses, real names, partial credit card numbers, profile descriptions, postal addresses, GPS locations, sexual preferences, and details about the weight and height of nearly 40 million users.

The fallout was nasty and prolonged as the culprits kept turning the screws on victims it dismissed as “cheating dirtbags.” Unsurprisingly, blackmail attempts followed.

Now, Ashley Madison’s parent company wants to say it’s sorry.

Segal told Reuters that maybe – just maybe – the company could have spent a tad more on security, for which it is…

…profoundly sorry.

Now, the execs told Reuters, the company’s spending millions to boost security and is pondering payment options that provide more privacy.

Pre-breach, it was selling a “full-delete” feature that promised “removal of site usage history and personally identifiable information from the site.”

That $20 “Full Delete” feature was a “complete lie,” said Impact Team, the hacking group that claimed to have breached Ashley Madison.

Segal told Reuters that Avid still doesn’t know who’s behind the attack, nor how it was done.

Last September, the company brought in Deloitte to help it clean up. It’s expecting to reach the first level of Payment Card Industry (PCI) compliance by September.

Reuters spoke with Robert Masse, who heads up Deloitte’s incident response team and who told the news service that his team had found simple backdoors in Avid Life’s Linux-based servers.

We had to basically reinvent their security posture.

Meanwhile, Avid’s facing two class action lawsuits: one in the US, and one in Canada.

The suits allege that Avid used fake female profiles: an allegation backed up by an Ernst & Young report that Avid itself commissioned.

Reuters, which has seen that report, says that the report confirms that the company was using computer programs, which it called “fembots,” to impersonate real women.

According to the Ernst & Young report, Avid shut down the fake profiles in the US, Canada and Australia in 2014 and in the rest of the world by late 2015. Nevertheless, some US users had conversations with foreign fembots until late last year.

The FTC fined another dating site, the England-based company JDI Dating Ltd, $616,165 in October 2014 for using “fake profiles to make people think they were hearing from real love interests and to trick them into upgrading to paid memberships.”

The Avid execs told Reuters that it’s planning to shift the focus off of infidelity to some extent and adopt a “vastly different approach” to how it’s marketed.

Some users aren’t particularly impressed by apologies or marketing shifts. One example is Serge Saumur, a lead plaintiff in the Canadian civil case, who told Reuters that he’s single and that he joined the site in early 2015.

He spent around C$100, he said, and that’s it: Ashley Madison won’t see another dime from him:

Whatever they are going to do to prove to me that they are safe or anything, I wouldn’t put no more money in there.


I’m trying in vain to feel sympathy for any involved; a company founded on encouraging clientele to deceitful behavior–surprise!–is discovered to have not handled things (a) with security at a priority or (b) with the best interest of their customers at heart.

We’ve all found ourselves in unpleasant situations we didn’t anticipate–by our own design and otherwise. Handling said aftermath with aplomb and integrity is lauded less and less these days, and here we’re treated to a prime example of “Society as Told by Mad Max,” v.01.0 beta.

How to regain credibility, indeed.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!