August 11, 2015 — The infidelity website Ashley Madison may have used misleading tactics to gain millions of users’ trust and provide personal data, according to a new in-depth analysis.
The report “How Ashley Madison Onboards New Users” by Samuel Hulick describes step-by-step how Ashley Madison lures users into providing credit card information and other personally-identifiable data.
The main page is emblazoned with logos like SSL “Secure Site” and “Trusted Security Award,” which probably does not exist. Hulick warned: “While pictures of locks do not make a site more secure on their own (clearly, in this case), they sure can lead to the perception of it!”
After signing up with a fake profile, Hulick received a “match” within six minutes from a woman in Oregon. He said the match was almost certainly fake, meant to trick him into providing credit card information before he could send a message.
The problem is deleting personally-identifiable credit card information. Signing up for Ashley Madison is free, but the website directs users to pay $20 for a “Full Delete” when they want to leave. Unfortunately, even after paying the money, Ashley Madison retains data on users.
In July 2015, a hacking group called “The Impact Team” compromised user databases and threatened to post the information unless Ashley Madison was taken offline. The parent company, Avid Life Media (ALM), has not complied. They are now facing possible class action lawsuits from users who paid to have their personal information deleted, only to have that information retained, stolen, and shared publicly.