Hacked - News Update - The Return of Miss Madison
Episode Date: April 21, 2020Jordan and Scott discuss what happens when old leaked passwords claw their way back from the grave. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
It's 2015, and the world is such a simple place.
Just not for the users of a small dating site called Ashley Madison.
Back in 2050, a group of hackers calling themselves Impact Team
posts a link to a torrent on the dark web,
with 10 gigs worth of leaked data concerning 32 million users
of the extramarital affair site, Ashley Madison.
The data dump included the real-world names of users,
their passwords, addresses, and phone numbers,
nearly a decades' worth of credit card information and payment transaction details,
and descriptions of what members were looking for on the affair site.
This was a full-blown, nothing left on the table, data breach of a dating site.
The story immediately popped off.
Reams of media coverage, internet vigilantes combing through the data for high-profile
individuals to target in public humiliation campaigns,
a dedicated search engine to peruse the leak.
And most importantly, for the purposes of this story,
the leak sparked a wave of sextortion scams around the world.
Pay me a thousand bucks in Bitcoin,
or I share this very sensitive information.
Because if I have this, imagine what else I have.
To be in that batch of leaked data was to be a bug hiding under a fridge.
Suddenly the fridge is gone, the lights are on,
and you have nowhere to scurry.
For some, you could shrug it off.
For others, it was a manageable embarrassment,
but for some, it was cataclysmic.
Marriage has ended, reputations bruised if not broken.
It's hard to put an exact number,
but I found at least five suicides linked to the leak.
And then, the T-Mobile hack happens in September.
The Securist breach in November, another hack, another day,
the world moves on.
Until this last week, when my co-host, Scott, got a message from a friend.
It would have very strange email he got from some hackers.
It seemed to know a lot about him.
This is the return of Ashley Madison,
sex-stortion scams and zombie passwords on this hacked update.
So tell me about this email.
Well, this email isn't unique.
I get asked this.
sometimes weekly, sometimes quarterly, but constantly people who know me ask me if this is a problem.
And they pull out their phone or they forward me an email and it says, hi, John.
We know your password is blah.
And we know this.
We know lots about you.
And, you know, we've bugged a porn site.
We've got, you know, some malware on your computer, whatever.
There's always a different spin to the manipulation in the email.
but then they say
you know
pay us
x bitcoin or else
you know or else
and you know whatever
whatever the threat is
the or else is followed by
I want to get to the password
part of that
sure that seems like where the actual
media this is
but I did notice in researching
these kind of emails that every single one
they put some sprinkles on top
they don't just say we have your password
we say we have your password
and we have your password and we have
webcam footage of you on a porn site.
Sure.
And we have leaked photos and we have this other thing.
Why do you think a hacker is reaching out to someone who has this, like, this little
kind of nugget of information would add in this additional lie?
I think it's like passive validation.
Like the, you've validated that they know things about you by showing you your password.
And then they just assume that if they can, you know, sink the hook.
They'll just believe whatever else they say.
Right.
Someone makes a claim like,
yo, I have like webcam footage of you on some website.
You're probably not going to believe that.
But if they proceed it with like, hey, here's your password.
I know this.
Suddenly all that stuff becomes like, I don't know, passively validated.
Well, the best thing is that everybody that forwards this to me,
they all have the same thing.
They say this is actually a password.
I used.
Used.
It's an old password.
I haven't used it.
a year or two, but it was a password that I used forever, and they know it. So, you know,
should I take this seriously? I get an email saying, hey, here's your password. Imagine what else
we know about you. So if you know what this is getting out, send me some Bitcoin. What's actually
happening there? Who are these people? How did they get this information? What's going on?
Yeah, so a lot of high profile data heists. I'll call them data heise because it sound cool.
You know, if you go to have I been poned.com, you can literally type in your email address and it'll tell you which of the major data heists you've been a part of.
So, PlayStation Network, Ashley Madison, et cetera, et cetera.
And what's happened is these data heists lead to these big piles of data that get spilled out on the internet.
and slowly and surely over time you can run password crackers on the user table.
Like we talked about in the problem with passwords.
And eventually you get people's real passwords.
It might take years to pull them out.
But you have them and you also have their contact details and their emails and stuff like that
because that's all part of kind of the user table.
So really all this is is a bunch of people writing scripts to automate
threats using, you know, data heist data as the input for it.
Does that make sense?
Yeah, I think so.
I want to dwell on that a little bit because I know we've talked about it in previous
episodes, the form these leaks take, but that user table that you mentioned, that's
the product of one of these leaks.
When these leaks happen, that's what gets out in the world.
Yeah, so like a lot of websites, anything that you log into, I call it a user table
just because it's often called users in the database.
but essentially it's a database.
All of these websites have databases behind them.
And to log into a website, there needs to be data inside of that website to validate that your username and password are real.
So that's often stored in the quote-unquote users table, which will have also your name and your email and anything else associated kind of with you as a user.
So you know when you go in my account profile, edit profile, all of that detail, all of those things.
are often in the user table.
You mentioned having to use a password, like, kind of cracker on that file.
Is that stuff supposed to be encrypted?
Is it supposed to be plain text?
Like, I feel like there's what happened with Ashley Madison,
which feels like both a failure of securing that table
and a failure of the table as, like, a structural thing.
Is that common?
Is it typically just like, here's all your stuff in a file,
or is it typically supposed to be, like, locked down,
even if that file gets out, it's protected in some other way?
I wish I had a different answer for you,
but no.
The passwords were encrypted, even with Ashley Madison,
but the table itself should really never get public.
That's the whole point of the hack and the heist
is to get that highly confidential piece of information.
Or often, it's just to get that piece of information.
Also, the, like, you know, quote-unquote credit cards table
would be sweet to grab, too, if you were in the database,
and is often a prize target, too.
but you get enough user accounts, you get enough transactional data,
you can probably do a pretty good chunk of damage anyway.
So the person responsible for getting the information out of Ashley Madison,
the person who hacked that company,
that's almost certainly not the same people that are sending out these emails.
No, almost certainly not.
The people who hacked Ashley Madison were probably highly skilled hackers,
and the people who are generating these Bitcoin scams are just scammers.
Talk to me about those scammers.
What's their process here?
Are they just going on somewhere on the dark web
and finding this document?
Yeah, they would have downloaded the data repository
when it came out.
I remember it was super public.
Like there was, I think, were you on Ashley Madison.com?
Like that website had spun up like hours later
where you could like test your colleagues' emails
and see who was on Ashley Madison.
And it was like that data was very, very public.
So they find these pieces of data, they download them, and they try and figure out something that they can use to passively validate a threat.
And that is the encrypted password.
If you run enough kind of password cracking and decryption against it, eventually you're going to get a pretty big swath of passwords because most people don't have great ones.
And especially in today's kind of computing resources world, you know, you could be pretty aggressive in a brute.
force password crack and probably get a lot, especially with that many accounts.
Right. So inside that document, so many of the passwords are something really easily guessable.
Yeah, password to 2018.
Sure.
Exclamation point.
I don't know who signed up for Ashley Madison in 2018, but...
Oh, whatever.
2013. I don't remember when the heist was.
But it makes it easier for you to be able to reverse engineer the rest of the passwords
inside of that document.
Yeah.
And, yeah, it's not a complicated process.
It's great tools for it.
And, you know, it'd be pretty easy,
especially with some of the larger word lists that you can download.
I mean, do talk about this in problems with passwords.
You can download these monster dictionaries of, like, lexicons of, you know,
all these words and combinations and variations of them
and quickly run those against any kind of password list you have
and often get a lot of wins.
So they probably did that as well.
So we've got the person who originally hacked Ashley Madison over here.
We've got the people that are sending emails to your friends saying, hey, I've got your password.
Imagine what else I have.
Send me a bunch of Bitcoin.
The people doing the decryption, the people turning that user table into actionable passwords associated with emails.
Is that someone in the middle of those two people?
Is that the original hacker or is that something that even the scammers can just be doing?
Yeah, even the scammer.
That's almost certainly being done.
done by the scammer. It's really not that complicated. It's actually the saddest part because
it's the most vulnerable part or one of the most vulnerable parts in that chain is that you can
essentially decrypt a password by encrypting words and comparing them against the encrypted
version. So it's not two-way encryption where they're not like actually unencrypting it,
but they're just doing encrypt. Like they just encrypt words over and
over until they get something that matches and then they know what the password is.
Right. You've got this giant ream of encrypted passwords and then you figure out what
encryption tool it used. They used to generate it and then you just start encrypting like
the word password, the word password, the word password 2013 and whatever you get out of that,
you just test that against your original table. Yeah, if they're the same, the password that you
encrypted to compare against it is their password.
Think about the last time you heard a breach story on this show. It always starts the same
way. Someone, somewhere, saw something too late. An alert buried, a signal missed, an SOC that just
couldn't keep up. Arctic Wolf set out to solve that problem by rebuilding security operations from
the ground up for a world where attackers are already using AI. They created the Aurora
superintelligence platform, a fully agented system powered by the swarm of experts. Instead of single-purpose
bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire
workflows. Humans stay in the loop and on the loop to validate the critical decisions and
keep everything trustworthy. And all of this is just off running on their secure operations
graph. A constantly updating intelligence engine fueled by more than 9 trillion telemetry
events every week and over a decade of real world incident response. The system reasons on real
signals and real context, not synthetic training data. And the result is the new Aurora
Agent SOC. It's the first SOC that is agent led by design. You get agents that coordinate,
agents that investigate, agents that respond at machine speed, and hundreds more that automate the
repetitive work that normally buries human analysts. Arctic Wolf didn't try and bolt AI onto an old
model. They rebuilt the model entirely. What makes it even more effective is how it works with
Arctic Wolf's concierge experience. The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions. The automation
freeze your concierge security team to focus on higher value strategy and proactive risk reductions
while the agents handle the grind. If you want to see what trustworthy, production-ready AI
and security operations actually looks like, go to arcticwolf.com slash hacked. Never feel like cyber
threats are evolving faster than anyone can keep up? Last year, 2025 was nothing short of a record
breaking year for major breaches, from sophisticated ransomware operators to AI-enabled attacks,
that turn defenses on their head.
Organizations around the world saw headlines they never expected
and cybersecurity teams were tested like never before,
but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
I feel like I know the answer to this.
What do you do when you get one of these emails?
It pops up.
I know all this seedy stuff about you.
Know how I know all that stuff.
I have your password.
What should you do with that?
email when you get it.
I hit the delete key.
Does it tell you that maybe you should think about any other accounts that might have used
that password and go change them?
Yeah, 100%.
If you're still using that password, like if your heart literally skips a beat because it's
not your old password but your current password, then you might be dealing with something
differently or something different, a different threat.
Or you just haven't changed your password in forever.
And if it's the latter, then you should probably go do that.
Yeah. That leak was four or five years ago at this point. Why do you think that information is coming back again right now? Because there was a revival of it in 2018. There's been a surge of it now in the last couple months. Why do you think people keep going back to those old pools of passwords? Is it just because people have forgotten about that original story and it might be relevant again? Give me a little glimpse into the mind of the people running these scams.
It's probably just, you know, them looking for new avenues to kind of brute force against.
These people are looking to run, you know, quantity over quality scams,
and they want to run as many as they humanly can.
So they're looking for any avenue to get any kind of leverage,
to cause people to think that they're in threatened crisis.
Like my phone rings four times a week threatening me with the IRS, you know.
And it's all scammers.
And, you know, it tricks some people.
It doesn't trick me, but it tricks lots of people.
And the reason why they keep doing it is because it works.
Hey, everyone.
This is two-ish months of news updates.
Not sure if you guys love them, hate them.
We've heard some positive stuff.
We haven't heard a ton of negative stuff.
I'd love to know how you guys feel.
Hit us up on Twitter at Hack Podcast.
If you're a patron, hit us up on Patreon.
We're thinking about doing less kind of weekly update mini episodes
and focusing on putting more time, more production value,
more structured storytelling into the big once-a-month episode.
Sort of see what that sounds like.
maybe an occasional news update here and there,
but really focusing on those
as an experiment for a couple months.
Hit us up.
That sounds like what you'd like
out of fact moving forward,
and thank you for listening
as we crack
exactly what the show wants to be.