Video: Blackmail and Ashley Madison

According to reports, users of the hacked Ashley Madison website have received blackmail emails demanding that they pay up, or risk having their membership exposed.

How worried should they be?

Check out my latest video below, and feel free to subscribe to my YouTube channel.

Stay safe folks, and don't allow yourself to be blackmailed.

Further reading:

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

28 Responses

  1. Norbert (Bob) Gostischa

    September 11, 2015 at 1:48 pm #

    I agree with your statement "Never pay blackmail." I don't agree with the "Poor Unfortunate" term used to describe the users of the Ashley Madison site. Many certainly aren't poor and if you looked at the passwords used by many, they also aren't very bright.

    • StavoV in reply to Norbert (Bob) Gostischa.

      December 19, 2015 at 2:52 am #

      Problem I have, is that I didn't apply to AM. I have a couple of people, that would do anything to get even with me…..but proving it can almost be done. This apparently happened 8 or more years ago and the card used, was one of those wally world gift cards. Other than that, that is all I can find out. But payback is coming……

  2. Don T Judge

    September 30, 2015 at 12:55 pm #

    Great article Graham. And good advice as well. Thank you!

    Now to everyone else, Its amazing how quickly people appoint themselves judge and jury. It's simple, if you don't know the circumstances then keep your mouth shut! It's none of your business anyway.

    And to the impact team/black mailers. Is it worth while to destroy people's lives? And not just the ones that were on that site? There are family members, children that are all going to suffer from your twisted idea of justice. I can understand going after AM. But you've published people's privacy and that's wrong. Here's a thought though…this isn't a target/Home Depot/Sony breach. No, now you've got 17 million people looking for you. I use that number based on what I've read about the actual numbers. Either way it's a lot. So I Hope that moment of ego was worth a lifetime of looking over your back. And given the fact that a small percentage have the means to find you, I'd bet you'll be caught much sooner than later.

    To the blackmailers. You guys are complete morons. Just as we've all learned online security is not real, so is it with your attempt to hide behind encrypted money transfers. Someone will figure it out and the trail that leads directly to you. And when you're caught, along with the impact team, be prepared to face a myriad of charges such as identity theft, extortion, terrorism, theft, to name a few. And it will be again 17 million counts. When you get to prison be prepared to be in isolation too, no doubt you won't be liked in prison either. Odds are you most likely ruined some convicts family member's life etc.

    Just some thoughts. And yea I believe there are plenty of victims here. A smart person will see that just using the Internet anymore can put you in this exact same situation. So judge away.

  3. John

    October 1, 2015 at 4:17 am #

    Agreed. Good advice. I have received 5 email exactly the same as what was shown in the video. Made me laugh!

    So yes don't pay people. Nothing has happened to me for doing as they asked!

  4. Will

    October 12, 2015 at 9:01 pm #

    I have received 10 emails from 10 different people demanding anywhere from 2 to 5 bitcoins. There are 5 different bitcoins address. Total amount that I would have to send is approximately $10,000. I of course will not send them anything, but it is interesting that multiple people or organizations are in on this blackmail. The internet IS an amazing place to be, but sometimes it sucks!

  5. Tim

    October 13, 2015 at 5:26 pm #

    I also have a lot of these e-mails! I get a couple a week in my junkmail folder, exactly like the one shown. I haven't done anything since they started appearing, and I'm also fine.

    I signed up a couple years ago when I was single. I had just gotten into online dating, and reading articles about the site was really fascinating, so I logged in and took a look. Not proud of it!
    My current girlfriend actually did get an anonymous tweet about it right when all this stuff was in the news, so that was really annoying, We'd only been together a couple months, and we met on okCupid.com anyway, so it was actually a pretty short, although embarrassing, discussion.

    I still feel really uneasy reading these e-mails, to be honest, so it's nice to get some support on it. Thanks for the video!

  6. Don T Judge

    October 17, 2015 at 12:50 pm #

    I completely agree do not pay blackmailers. In this case, the data has already been leaked so there's no way to erase it.

    I've gotten quite a few of these emails. To date there seems to be four different versions, but if you look at the bitcoin addresses they are the same dependent on the email you get. At first I was concerned, I mean no one wants there personal information floating around the internet. But the milk has been spilled already so do the best you can with damage control, change your passwords, cancel your credit card that you used etc…

    I was tempted to reply with a expletive, but common sense took over. If you reply you're not only acknowledging that your email address is correct, but that you are worried and to some point have something to lose? There have also been a number of so called "tools" to check if your email address is on the list. I forget the names, something like "have i been hacked"…I suggest not using those tools as I believe they are collecting more info to be used against you.

    The bottom line is this. They have not downloaded your Facebook contacts, stop and think at how massive an undertaking it would be to view each person's account, let alone download a copy of their friends lists? And then to construct an individualized message about what you did and email each contact with absolutely nothing to gain at all? And as far as letters go, that would leave a paper trail, again being time consuming to create along with being costly (postage) so I would be not be worried about letters arriving.

    Just ignore these emails, eventually they will stop

  7. John

    November 29, 2015 at 1:32 pm #

    I just Nov 28th received a paper letter in the mail. Same sort of Bitcoin pitch, mail merged in an attempt to look personalized . Full of threats. No return address. Asking for $2,100 in bitcoins and instructions on how to use it. Weird . With a stamp. My wife knows I was using the site to look for a threesome partner. But it's not worth $2100 to avoid any other person finding out. I can't imagine the human destruction a paper letter will do!! It's horrific all those lives destroyed for a couple thousand bucks? There are so many general and stupid assumptions made by the morons who did this

    • Scott in reply to John.

      November 29, 2015 at 11:39 pm #

      Just got a paper letter as well. I can't pay because it won't help. Just gonna have to face the music if this person sends a letter to the wife. No other alternative. Completely sucks.

      • Bob in reply to Scott.

        December 1, 2015 at 3:05 am #

        I too received a paper letter on Nov 30th, not sure what to do. The letter included information on another person the blackmailer claimed ignored his letter and outlined how the blackmailer then contacted the poor fellow's wife, daughter, her boyfriend, and the fellow's coworkers and supervisors. Not sure if this threat should be taken seriously or not, but it's definitely a lot more worrisome than the Nigerian emails people have been getting.

        Any advise or anyone else feel any repercussions of not paying up?

      • Bob in reply to Scott.

        December 1, 2015 at 3:36 am #

        Letter received Nov 30th, similar language, including blackmailer mentioning another specific fellow with name, employer, contact info, and family member names that failed to respond to said blackmail letter. Blackmailer wrote that because this fellow didn't pay within the 10 days that he then contacted the fellow's wife, daughter, her boyfriend and the fellow's coworkers and supervisors. He invited recipient of letter to contact the fellow to verify that this was a real threat and to confirm that indeed he ruined the poor guy's life. Definitely scarier than the Nigerian email threats.

        Anyone else receive the paper letter? Anyone live through the aftermath of not paying up?

        • Henry in reply to Bob.

          December 2, 2015 at 4:19 am #

          Got exactly the same letter. It seems that a bunch of them went out at the same time, even though the letter talks about the unlucky few receiving it.. Scary stuff as its well written, clearly a template, talkng about DNA and being untraceable. Mine came from Capital district, wherever that is.
          I also realized that all the info provided about the guy is public access, very easy to get. The guy seems to be still working at the place described in the letter.
          My gut feeling is that it's all BS, we should find out very soon, I guess.

    • Jim Blatten in reply to John.

      December 2, 2015 at 7:04 pm #

      Also got a similar letter. Working on trying to figure out next steps and maybe you can help with any clues. Create a burner email and message me at JimBlatten@gmail.com

      We can take things at your own pace and cautiously, but let's help each other out here.
      Jim

  8. Jim Blatten

    December 2, 2015 at 7:08 pm #

    Also got a similar letter. For all those that did, let's help each other out. Seems we are not alone.
    Email me at JimBlatten@gmail.com and let's chat further about next steps and any clues we can share.

  9. j stephen

    December 11, 2015 at 6:03 pm #

    Curious as to the end of the story. What happened?

  10. Rick Campos

    December 18, 2015 at 6:44 pm #

    I was not in the Ashley Madison database. Have never been on the site.
    I received a letter at my home address, post marked from the east coast – “Capital District”. It was a two sided letter. It was demanding bitcoin. It included the instructions on how to obtain bitcoin.The first page was full of threats. There was no return address, the letter had a “Forever” stamp.

    At first, I just thought this was a typical scam letter, like those emails you get from Nigeria.

    However, I woke up last night in fear. What if this person accuses me, how do I prove to my wife that I was not an Ashley Madison user? I don’t want to go the data off the dark web that sounds sketchy and plus how can I be sure the data is real. Does anyone have any advice on what to do?

  11. David.A

    December 19, 2015 at 2:07 am #

    I got one as well, even though I'd never been a member. Checked my info and I am not in the AM data. My info, however, was involved in some other hacks. I've reported to the authorities. A message for Graham if he reads this….Have you reached out to see whether the Postal Inspectors are doing about this? This is absolutely crazy.

    • Graham Cluley in reply to David.A.

      December 19, 2015 at 3:30 am #

      The US Postal Inspectors Service have been in touch with me, and said that they would be interested in hearing from anyone who has received an AM-related blackmail threat through the mail.

      Their website is at http://postalinspectors.uspis.gov/

      Of course, if no-one reports the blackmail letters there is little they can do about them.

      You can read about one of the Ashley Madison postal blackmail demands here: https://www.grahamcluley.com/ashley-madison-blackmailers-sending-threats-postal/

      • David.A in reply to Graham Cluley.

        December 19, 2015 at 3:36 am #

        Ive reported to Postal Inspectors and other authorities. Encouraging to know they reached out to you.

  12. Moce on with your lives

    December 19, 2015 at 3:16 am #

    Suuuuuuuuure, whatever you say "John," "Bob," "Scott," "David," "Rick," Jim," J Stepehn," and " Henry." (Could've at least been more creative with your names…but you wanted them to be different than what you use on Reddit, so I kind of get it. Just lazy, though).

    Guys–there are no actual letters. These guys are trolls. Probably the same ones from Reddit just trying to scare you. I believe they are called "trolls."

    There no actual letters. Nobody is receiving anything other than emails and those are dying down anyway. This story is dead.

  13. Jim Blatten

    December 19, 2015 at 4:04 am #

    Graham,

    Rather than a link, can you get us a name at the Postal Inspector's office? It would be easier to communicate with one person in charge of this case.

    Thanks.

  14. cary

    December 21, 2015 at 4:59 am #

    Graham,

    Like the other folks mentioned here, I too received a letter to my home with details that requesting a similar amount of money to be sent in bitcoins.

    I have two problems with this. I was not involved with the Ashley Madison hack as I had never been on the site before. I was how ever a victim of the Patreon hack, as i had supported several artists from my community on that site.

    The second problem is – as I am not organized in my mail opening duties, the letter sat for a couple weeks. It was post marked November 26th, and the deadline has since past. I won't pay of course

    In this circumstance, is it still worth reporting to the authorities? It has the same cancellation mark from the Capitol District that the other readers have mentioned too.

    thanks in advance

    • Graham Cluley in reply to cary.

      December 21, 2015 at 9:26 am #

      "is it still worth reporting to the authorities?"

      Yes. We can't allow criminals to get away with acts of attempted extortion like this. If you can, please report and share details with the likes of the US Postal Inspection Service.

      • Cary in reply to Graham Cluley.

        December 21, 2015 at 2:11 pm #

        Thanks Graham,

        I'm using http://postalinspectors.uspis.gov/ as you instructed,

        cheers!

  15. Mindy

    December 21, 2015 at 2:21 pm #

    This is totally bogus. I've never been married and certainly never used Ashley Madison, yet I received one of these "letters" as well. I was part of the Target Hack. These people are obviously pulling information from all over the place and just throwing these out randomly in hopes that some idiot will pay them even if they had nothing to do with AM.The mere suggestion of involvement, true or not, is clearly enough to send some busybodies into a self righteous frenzy, as evidenced by many of the posts online.

    • Jim Blatten the Second in reply to Mindy.

      December 22, 2015 at 1:01 pm #

      Suuuuure. . Show us proof

  16. there are no letters in the mail

    December 21, 2015 at 2:44 pm #

    I contacted the US Postal Inspection Service and they confirmed that they have received NO such reports of any Ashley Madison exertion attempts via US mail.

    To those who say they reported such threats: are you sure you are reporting them to the correct authorities?

    To Mr. Cluley: prior to running this story, did you make any attempts to verify the authenticity of these people's claims? I think it is very possible, a near certainty, in fact that these folks are trolling you in an attempt to scare others. You have to wonder why no other reputable news organizations are running with this. Seems like the only one's that have mentioned it, are merely just linking to your article and not attempting to verify anything on their own.

    To the few people who have bothered to read the comments section here, know this: there are no such letters. All of the people (all with strangely common names out of sheer laziness) on this article from 11/29 on, are imposters trying to stir something up on a story that has been dead for months.

    Sorry to burst your bubbles, fellas.

  17. Jim Blatten

    February 16, 2016 at 5:08 pm #

    Shocking nothing has come of the letters in the mail.

    #hoax

    Queue the fake commenters in 3, 2, 1…..

Leave a Reply