back to article What Ashley Madison did and did NOT delete if you paid $19 – and why it may cost it $5m+

Add a multimillion-dollar US class-action lawsuit to the growing number of court battles facing the owner of the hacked Ashley Madison website. A class-action complaint [PDF] filed in a US District Court in California this week alleges that Avid Life Media (ALM) neglected to properly secure the highly compromising personal …

  1. ma1010
    Holmes

    They have a point

    "Defendants were aware or should have been aware of the need to secure users' information, especially in light of the recent rise of massive security breaches on the Internet and the fact that the information contained on its servers is particularly sensitive."

    Kind of hard to argue with that, IMHO.

    1. oldtaku Silver badge

      Re: They have a point

      From their leaked email they were definitely aware - execs making jokes about how they should improve their security lol.

      That's definitely not going to help.

      1. Anonymous Coward
        Pirate

        Re: They have a point

        Absolutely unbelievable.

        There's obviously a need to track (former) users (abuse/de-dupe/whatnot) but even if charging people to be deleted wasn't extortion (on a site of this nature and in the context operated, it clearly is), charging for something which you then do not do is certainly fraud. As an absolute minimum, the slimy shits should have run all the expensively "deleted" (but retained for operational purposes. hehe) data through a cryptographic hash function in lieu of the deletion for which they were charging. Hashes of new registrants' address could be compared to those historical hashes to detect matches etc just as readily as comparing the cleartext.. and thus any match would have intrinsically disclosed the cleartext. At least then there'd have been some degree of obfuscation provided to protect those expensively "deleted" victims who'd forked out the protection money... for when the leak which the top management whiled away their time bantering about finally arrived. A little bit trickier or the GPS data I suppose. The least significant few digits of those GPS data would have had to be discarded before hashing, for the hashes to serve any useful purpose... but I can't see that loss in fine precision being any sort of problem... in fact, I'd like to see their argument to explain why exactly it was necessary to keep a record of which room of the building their "deleted" victims had been in when they'd registered... can't even imagine any plausible argument for them claiming any right or reason to have secretly captured data of that sensitivity from their active victims users in the first place.

        Although "white collar" criminals often escape custodial rewards, I'm finding this whole slimy saga so repugnant that I wouldn't be at all surprised if a decent stretch was deemed appropriate. The shits seem to have gone out of their way to defraud1, defraud2, then betray3 their victims.

        1Offer a free trial for would-be victims to peruse their siteful of fake profiles, then charge them to be brushed off by a bot.

        2Once said victim tires of being brushed off by said bots, point out that their details are being held on an humiliating and potentially damaging list and charge them (again) to be deleted (but not really)

        3Bantering about how it would suck for their victims if the database leaked, but not bothering doing anything about it, while continuing to lure fresh victims into the fraud and extortion racket.

        /dailymailmode

        1. Mark 85

          Re: They have a point

          Although "white collar" criminals often escape custodial rewards, I'm finding this whole slimy saga so repugnant that I wouldn't be at all surprised if a decent stretch was deemed appropriate. The shits seem to have gone out of their way to defraud1, defraud2, then betray3 their victims.

          While I agree totally with this, no charges have been filed against AM manglement, yet. Even though there's no honor among thieves, the question I think at this point, is which set of thieves do law enforcement go after first? Other than some customers expectation of privacy, I'm not seeing AM being a victim.

    2. Tom Samplonius

      Re: They have a point

      ""Defendants were aware or should have been aware of the need to secure users' information, especially in light of the recent rise of massive security breaches"

      Ahh... the ATT Defense: When we said Unlimited, it wasn't really unlimited but everyone should known that it was.

      Applied here: Our site is Secure. Of course, everyone knows that doesn't mean it is secure.

      1. Anonymous Coward
        Anonymous Coward

        Re: They have a point

        "When we charged them $19 to delete their accounts, we weren't really deleting them at all. Of course everyone knew we weren't really deleting their accounts when they paid us that $19"?

        Hmmmmmmmmm...

  2. Justin Clift

    Hmmm...

    "This massive data breach could have been prevented had Defendants taken the necessary and reasonable precautions to protect its users' information by, for example, encrypting the data entrusted to it by its users on a database level so that any information hacked and downloaded appeared in the encrypted format," the complaint reads.

    The hackers seemed to pretty much have root/superuser/admin access to the entire AM IT infrastructure, and "the database" mentioned there is a live/running one. So, it's pretty safe to say encrypting the data at rest wouldn't have stopped them gaining access to it, since they could access it via the running application.

    That being said, encrypting the data at rest isn't a bad approach for stopping other attacks. ;)

    1. Daniel B.
      Boffin

      Re: Hmmm...

      The hackers seemed to pretty much have root/superuser/admin access to the entire AM IT infrastructure, and "the database" mentioned there is a live/running one. So, it's pretty safe to say encrypting the data at rest wouldn't have stopped them gaining access to it, since they could access it via the running application.

      If the encryption had been made at the application level (that is, it is decrypted by the application itself, but stored encrypted in the DB), it wouldn't have been in cleartext in those dumps. Because they were made with mysqldump.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmmm...

        No, it would mean the application needs to store the encryption key, and usually it's more difficult to protect it there than at the database level. Moreover, any application accessing the data needs to know the key.

        Usually the best approach is let the database do the encryption, and then if needed protect the communication channel.

      2. Justin Clift

        Re: Hmmm...

        If the encryption had been made at the application level (that is, it is decrypted by the application itself, but stored encrypted in the DB), it wouldn't have been in cleartext in those dumps. Because they were made with mysqldump.

        Sure. (Note - I have not looked at the AM data set at all, as it's not of any interest to me.) The attackers had full root/superuser/admin level access though, so encrypting the data in the application instead of in the database just means they would have proceeded slightly differently to get the end result.

        So after using mysqldump, they would have then decrypted that using the same key/password/whatever that the application is unlocking it with. (This is pretty straightforward stuff, and not hard to do.)

    2. Anonymous Coward
      Anonymous Coward

      Re: Hmmm...

      I wonder what edition of MySQL they used... because AFAIK database encryption is available only in some commercial edition.

  3. Henry Wertz 1 Gold badge

    Greasy

    Honestly I don't know if they should have to make a payout just for the data breach -- it really depends on if they were negligent with their security, or if it was fairly up to snuff and the hackers did something really tricky to get the data. (I do suspect the data security was rather lax.) But charging to delete an account, then not actually deleting it? GREASY. They should be absolutely taken to the cleaners for this.

    And this is why I do not give a website ANY information unless I'm quite sure I'll never want to take it back. Many sites do not have a "delete my info" option, and ones that claim they do will OFTEN lie and just "make the information inaccessible" or something instead of, you know, actually deleting it.

    1. drunk.smile

      Re: Greasy

      Yes, although sometime that's also the user's fault for not knowing what they want sometimes.

      I used to run the system for a company where we did actually delete the record, everything, but then the customer complained when the telesales team called them up a few months later trying to sell them products.

      We ended up having several levels of delete.

      - Deactivate & Suppress (turn your account dormant)

      - Delete & Suppress (clear the customer records, but put their contact details on suppression lists to ensure sales don't call them again).

      - Full Delete (remove all information about the customer and make it clear to them that this means sales could end up calling them).

      A surprising number of people still kept on going for Full Delete & then complaining when telesales phone them up. Idiots.

      In Ashley Madison's case though they offered a full delete service and didn't provide it, then they got caught. Idiots.

      1. a_yank_lurker

        Re: Greasy

        Your system is reasonable, levels of deletion to suit the customer. And you follow through. Full delete means there are no records kept. AM needs a good schooling on the meaning of "full".

        1. Doctor Syntax Silver badge

          Re: Greasy

          "Your system is reasonable"

          No it isn't. It appears to have been a response to complaints about his company pestering random people with random phone calls. If they didn't indulge in such anti-social behaviour a deletion should simply have been a deletion.

          1. drunk.smile
            Stop

            Re: Greasy

            Yes it is. And yes, these people are idiots.

            The complaints are not about the telesales call, they are about the repeated sales call when they have asked us to remove all records of them from our systems.

            If you're not on TPS and you have told us that we can't keep a record of you on our internal suppression lists then don't be surprised if you get called again in a few months when we refresh our call lists. We're not the ones being unreasonable, you are.

            In answer to the question from another poster further down, yes there is such a thing as full delete we scrubbed the records clean, detailed backups were kept for a week and then were aggregated so that no personal data remained if someone wanted full delete.

            In answer to the other posters who don't quite understand how telesales calls work.

            Get as angry as you like, our droids will brush it off because they're professionals (they get thousands of "No" a week and make money on the small percentages that say 'yes'. do you really think you make much difference in their lives?). You are the one that has to carry that anger around with you. Your kids are the ones who have to watch daddy shouting down the phone at a stranger whilst the family is about to sit down for dinner; real great example for them you set, father of the year.

            If the sales company is breaking the rules (not necessarily laws, most of the codes they sign are voluntary & unenforced) then complain, but don't take it out on the 'droid'. Take it out on the guys like me who design the systems. It's our job to put a system in place so the rules are followed and the sales agents can just call & make their percentages as quickly as possible.

            Oh and if you can't work within the system and can't or won't understand why we need to keep a record of you to suppress future calls, then I will call you an idiot, but not to your face because I too am a professional.

        2. T. F. M. Reader

          Re: Greasy

          Full delete means there are no records kept.

          Is it really true, ever? Does anyone scrub backups?

      2. heyrick Silver badge

        Re: Greasy

        "then complaining when telesales phone them up. Idiots."

        That reads as I'd need some sort of account with your company so you don't pester me.

        Is it not unreasonable for somebody to expect a "full delete" to be exactly that? Including from whatever contact list your telesales uses?

        1. Ralph B

          Re: Greasy

          Is it not unreasonable for somebody to expect a "full delete" to be exactly that? Including from whatever contact list your telesales uses?

          Maybe the telesales are using the telephone directory. Should they delete you from that too?

          More likely they are buying a leads database from some other 3rd party. Practically speaking, if they are to avoid pestering you in the future, they are going to need to keep a record of you to remember to do so.

          1. Doctor Syntax Silver badge

            Re: Greasy

            "Maybe the telesales are using the telephone directory. Should they delete you from that too?"

            In the UK there is such a thing as the Telephone Preference Service. It's a list of phone numbers that shouldn't be called. If a telephone sales organisation is using the telephone book they should filter it against that list.. So in effect the answer to your question is "yes".

            And a numbers not to be called list needs no other information than the numbers so your final statement, that they need to remember "you" is false; all they need to remember is a telephone number.

            1. Justin Clift

              Re: Greasy

              In the UK there is such a thing as the Telephone Preference Service. It's a list of phone numbers that shouldn't be called. If a telephone sales organisation is using the telephone book they should filter it against that list..

              Really wished that worked over here in the UK. In Australia, there is a (national?) "Do Not Call Register", which is easy to add your phone number to online. It's enforced well, and marketers really don't screw with it.

              Nothing over here in UK seems to work though. :(

              Extremely sick of robodialers and similar ringing during the day, when I've been working through the night (am not a morning person!), so I got rid of my landline, and I no longer live in a mobile service area. Problem solved so far. (Hope I don't need to make any emergency calls!)

              1. Wzrd1 Silver badge

                Re: Greasy

                "Really wished that worked over here in the UK. In Australia, there is a (national?) "Do Not Call Register", which is easy to add your phone number to online. It's enforced well, and marketers really don't screw with it."

                We have a similar 'Do Not Call' database. A few idiots actually tried to use it as a calling database, to end up meeting a judge, jury and prison guards.

                Today, some foreign call centers either ignore it or use the database, obfuscating and forging their caller ID.

              2. Voland's right hand Silver badge

                Re: Greasy

                Extremely sick of robodialers

                Your solution is half-correct. Killing the land line is the right step. Not having a number at all is an overkill. The biggest seller of data to marketing scum is BT and the like. I ended up turning off that line same as you.

                At the same time, I have never had a marketing call on my Sipgate and Teleappliant VOIP numbers. They just work and I never get any tele-scammers calling them.

      3. Doctor Syntax Silver badge

        Re: Greasy

        "A surprising number of people still kept on going for Full Delete & then complaining when telesales phone them up. Idiots."

        You were making unsolicited phone calls & think the recipients are idiots for complaining?

        Is there no limit to the stupidity of marketroids?

      4. Jedit Silver badge
        Mushroom

        "... then complaining when telesales phone them up. Idiots."

        If you claim to have deleted my records completely then your sales department phones me up, then either you're lying about deleting records or your company is cold calling. Either way, if you think I'm an idiot for being angry about that you can go fuck yourself.

        E: Doctor Syntax - you'd be amazed how many companies give zero shits about the TPS. They get around regulations by claiming it's a market research call so they can claim you consented to receive the sales pitch if you answer any questions, or by saying each time they call that they're very sorry, it was a mistake and they'll take you off the list (which wears thin after the third or 23rd time, but hey - they didn't know, they just have a list). That's assuming they don't simply base their call centres outside the UK, or not give their number and/or company name so you can't even file a TPS complaint.

        1. Alan Brown Silver badge

          Re: "... then complaining when telesales phone them up. Idiots."

          "They get around regulations by claiming it's a market research call so they can claim you consented to receive the sales pitch if you answer any questions, "

          It's a specific offence in the UK for a marketing call to turn into a sales call or to be followed up with one.

          If you get any like this you should notify both Ofcom and the ICO.

        2. Doctor Syntax Silver badge

          Re: "... then complaining when telesales phone them up. Idiots."

          "They get around regulations by claiming it's a market research call"

          AFAIK market research calls come under TPS as well. And as I operate a zero tolerance policy they will be reported no matter how much they apologise. The real problem here is those who call because they think I'm a customer & that's allowed (by the Blair govt so that that excuse is akin to taking business advice from the experts who brought you the big housing bubble and its consequences); these are dealt with by the simple expedient of ceasing to be a customer.

          "That's assuming they don't simply base their call centres outside the UK, or not give their number and/or company name so you can't even file a TPS complaint."

          The few I receive get the long weight treatment. It seems to be pretty effective as I don't get many. However I did have a missed call the other day which on googling turns out to be a number used for calls from "Microsoft". And I missed it! Colour me disappointed.

          1. Antonymous Coward
            Headmaster

            Re: "... then complaining when telesales phone them up. Idiots."

            "The few I receive get the long weight treatment."

            You beat them with a plumb-bob "Dr Syntax"?

            1. Wzrd1 Silver badge

              Re: "... then complaining when telesales phone them up. Idiots."

              "You beat them with a plumb-bob "Dr Syntax"?"

              I was thinking more like a sash weight.

            2. Jonathan Richards 1

              @AC Re: long weight

              The good Doctor wrote 'weight' very deliberately. It's a reference to one of the jolly japes traditionally played on the newest, greenest apprentices in factories and workshops:

              Journeyman [hefting a standard-shaped weight]: "Here, Bill, go down to the stores, and ask them for a long weight, will you?

              [Bill trots to the stores, addresses storeman]

              Bill: Mr Jones sent me down for a long weight, please.

              Storeman [suppressing a smirk]: Alright, lad, stand over there in the corner, and I'll fetch you one.

              [time passes... .... .... ]

              --<[curtain]>--

              Storemen were also in on the joke when asked for left-handed screwdrivers, or replacement bubbles for a spirit level.

              1. Doctor Syntax Silver badge

                Re: @AC long weight

                "Storemen were also in on the joke when asked for left-handed screwdrivers, or replacement bubbles for a spirit level."

                Don't forget the striped paint.

            3. Doctor Syntax Silver badge

              Re: "... then complaining when telesales phone them up. Idiots."

              Old practical joke on apprentices - allegedly. You send them to another department for a long weight (it depends on how you pronounce it) or a long stand. If you were the apprentice I think you'd have been caught.

          2. Wzrd1 Silver badge

            Re: "... then complaining when telesales phone them up. Idiots."

            "However I did have a missed call the other day which on googling turns out to be a number used for calls from "Microsoft""

            Yeah, I'd be disappointed too. I love to waste their time, doing my best to confuse the bastard for as long as possible. I've gotten them stretched out to as far as 15 minutes, variously saying "My computer brand? Cray. C. R. A. Y. Yes, I don't see that prompt"...

            Notable, most of the unsolicited calls I do get are out of country and are running caller ID obfuscators. A bit of kit between the ID device that kills the reading after the first CID signal is received found a more accurate, out of country phone number.

            Hmm, perhaps I can stop off on the way to work and borrow an armed drone...

      5. The Vociferous Time Waster

        Re: Greasy

        They should be two separate databases. When I stop being a customer I should go from the customer database and if I choose to be retained as an entry on the 'do not call' database that should not imply I was ever a customer.

  4. Efros

    Chapter 11

    I foresee a shuttering in the near future.

    1. asdf

      Re: Chapter 11

      And corporate law will probably protect the assets of the owners and management of the company that caused the problem. Typical.

      1. a_yank_lurker

        Re: Chapter 11

        It is hard to do, but the corporate shell can be pierced in some situations to get at personal assets. Whether this would the case here, I do not know.

        1. Alan Brown Silver badge

          Re: Chapter 11

          "the corporate shell can be pierced"

          The fact that management knew that their security was lax would count against them.

          The question becomes what they decided to do about it - joking is "bzzt, wrong answer" and indicates recklessness that might possibly be enough to pierce the shell.

    2. Morrolan

      Re: Chapter 11

      Just a note: ALM is Canadian. Chapter 11 is US bankruptcy law, Canada's bankruptcy laws are somewhat different.

      It'll be a while before any bankruptcy declarations might be made anyway. They'll probably fight the lawsuits and try to save their business, and I suspect they have quite a bit of cash in the bank given how high their fees are.

      1. Neil Barnes Silver badge
        Joke

        Re: Chapter 11

        quite a bit of cash in the bank given how high their fees are.

        Yes, but will they have to pay to withdraw it?

  5. This post has been deleted by its author

    1. Doctor Syntax Silver badge

      This is data they should no longer be holding. A belt and braces approach of holding it elsewhere is a breach of that. For all we know this could have been a dump of such a belt and braces copy.

      1. Squander Two

        > This is data they should no longer be holding. A belt and braces approach of holding it elsewhere is a breach of that.

        Exactly. Yes, of course they had reasons for keeping the data. Everyone always has a reason to keep stuff that's valuable to them. But wanting something because it's valuable is not a good enough reason to have it. It has to also be yours.

        Quite a few comments here about needing data for de-duping or whatever, and addressing the technical issue of how best to store it securely. This completely misses the point. Yes, AM screwed up their security. But only for users who hadn't bought the deletion option. For those who had, AM didn't screw up the security; they screwed up by thinking they were allowed to keep hold of data that they had contractually agreed to delete.

        1. Alan Brown Silver badge

          "For those who had, AM didn't screw up the security; they screwed up by thinking they were allowed to keep hold of data that they had contractually agreed to delete."

          The problem with claims about having removed personally identifiable bits of data when storing this kind of data is that when several such sets are combined the personal identifiers just pop straight back out at you.

          This is something that the NHS in particular needed substantial "re-education" about with their "redacted data sets" which had more than enough information in them to reconstruct an individual's medical history.

  6. cantankerous swineherd

    perhaps people will start to get the idea that privacy and security on the internet are, in practice, unachievable.

    your data can and will leak, if not immediately, then eventually.

    1. Anonymous Coward
      Anonymous Coward

      Two prongs to this fork. Both good.

      Completely agree with your hope that the publicity this is getting could, perhaps, instil into the masses some sense that their online privacy could be worth considering.

      Over on the other side of the coin: I'm also inclined to hope, probably equally wishfully, that a fittingly draconian sentence for this wanton negligence could serve as a desperately needed rocket up the arses of the rest of the smug, conceited & complacent "social media" racket corporations.

  7. Mark 85
    Trollface

    If I were a miscreant...

    I'd pop out the following email and wait for the cash to roll in:

    From: DeweyCheatem&Howe, Attorneys

    To: <$email addy>

    Dear <$email addy>

    Your email and details were found in the recent Ashley Madison data theft. We're filing a class action suit on all members behalf.

    If you would like to be a part of this suit, the cost is $50.

    If you would like to NOT be a part of this suit and have your details made known in a court of law, the cost $100.

    Please forward your bank/credit card details immediately.

  8. OllyL

    Tax records?

    surely for audit/tax purposes they must have to retain who paid them how much and when? I saw an earlier post which suggested that paid removals should be stored offline, which makes sense, but surely for their end of year books etc...they must have to keep these records in the main 'online' database?

    1. Anonymous Coward
      Anonymous Coward

      Re: Tax records?

      ...they must have to keep these records in the main 'online' database?

      Why? Why not simply sync your nice, secure, OFFLINE accounts system with the big scary and inevitably less secure online webstuff once a year at tax time via a USB stick or suchlike? Keep the requisite records and archives THERE. Safe. Offline... and use the less secure online webstuff for ONLY less secure online webstuff?

    2. Squander Two

      Er, what?

      > surely for audit/tax purposes they must have to retain who paid them how much and when?

      Since when do you need to record who your income comes from for tax purposes? I bought lunch earlier. The takeaway didn't ask for my name or address. And they still gave me a VAT receipt that I can use to make an expenses claim off HMRC.

  9. Anonymous Coward
    Anonymous Coward

    Lat Lons

    Boy, that Mr Johnston NEXT DOOR sure is in trouble now!

    1. Eddy Ito

      Re: Lat Lons

      Really, six decimal places on longitude? That's one hell of a GPS that can tell location within the length of an iPhone.

  10. Anonymous Coward
    Anonymous Coward

    Banking and government aside

    Is there a realistic expectation that what you put on the Internet, stays private?

    Want real security, don't tell the web.

  11. Neil Barnes Silver badge

    But... do people *really*

    wander around with the GPS on their mobile phone permanently on? Unless you are actively navigating, it has *zero* utility to the user (ok, plenty of utility to the advertisers) except as a battery tester.

    In this case, the GPS location is pointless unless it's updated regularly, all the time. And that's even creepier than the whole thing already is.

    (I'm assuming this is a mobile-only 'service' - it's rare to see GPS on a desktop)

    1. Anonymous Coward
      Anonymous Coward

      Re: But... do people *really*

      " But... do people *really* wander around with the GPS on their mobile phone permanently on?"

      It depends on what mobile they're using. AFAIK Android defaults to location services switched on all the time. That doesn't mean the GPS chipset itself is running all the time; Android is perfectly capable of generating location data from proximate WiFi networks. It will switch on GPS only if an application asks for high precision location data when there is a shortage of recognisable WiFi networks nearby.

      Specific problems for Ashly Maddison With Location Accuracy

      There is another angle to the deleted accounts containing location data, one that could expose the company to far wider claims than at present. Whilst mobiles are reasonably good at measuring their position, they're not perfect. Where I live for example my mobile will quite often say that it's located in my next door neighbour's house. That simply down to the limitation on the accuracy of the location services.

      So, if I had been an Ashly Maddison user (which I wasn't), and had created an account from home and then deleted the account, the remaining data that has now been leaked would now point resoundingly at my neighbour's property. The other remaining data wouldn't be so far off the mark either. If his other half then made a search she would undertandably, though erroneously, conclude that he had been a user of Ashly Maddison.

      And in this hypothetical situation, what sort of person would it take to volunteer that there might actually be a mistake in their neighbour's findings at the risk of wrecking their own domestic situation? Afterall, Ashly Maddison probably haven't got enough data left to say no, he was never a user, etc.

      Data Protection Act and Data Accuracy

      In other words, this leaked deleted data might ruin the lives of people who are utterly uninvolved with this seedy company, simply because of the limitations of a mobile phone's location services.

      At least here in the UK this could create a massive liability under the Data Protection Act. A company is required by law to accurately process information. If they're using something as sensitive as location data as part of that processing (and they clearly are), they have to be completely certain that the location data is completely correct. In a lot of residential areas, being accurate to within 10m, or even 5m, is not good enough to denote the actual building where the user resides (if they were stupid enough to set up the location from home). That fact alone could land them with a massive fine.

      1. glen waverley
        Big Brother

        Re: But... do people *really*

        Accuracy of location data ...

        A few other thoughts.

        1 Many people live in apartments/flats/tenements. AC's comment re 5 or 10 m accuracy would smear the location across many possible units. So plausible deniability there. Plus, altitude does not seem to be in the dataset, giving much more candidate units if a highrise building.

        2 Unless they take lat and long from address, not gps data. Which might well be billing address for the credit card. You know, the one you used to pay the $19 to get rid of that very data. Need address to verify credit card for "card not present" transaction. AM might as well do a quick geocoded address lookup while waiting for the credit card transaction to go thru.

        1. MacroRodent
          Big Brother

          Re: But... do people *really*

          Many people live in apartments/flats/tenements. AC's comment re 5 or 10 m accuracy would smear the location across many possible units. So plausible deniability there.

          On the other hand, if you live in an even slightly isolated location, GPS location (or a location deduced from WIFI hotspots or cellular towers) may reveal your true identity even if you used a fake identity for registration. Does not have to be a mountaintop in Montana, just a house with enough space around it to make the nearest neighbour, cafe, or a busy street over 20m or so away.

    2. Anonymous Coward
      Anonymous Coward

      Re: But... do people *really*

      I thought it strange to log GPS cordinates of their users but I guess due to the nature of the website it maybe have been included in case of predatory rapist.

      1. Anonymous Coward
        Anonymous Coward

        Re: But... do people *really*

        More likely to help spot spammers... User says they're in such and such a city but really they're sat in Nigeria. Could immediately flag them to warn users. Have seen other sites do this.

        1. Major N

          Re: But... do people *really*

          Or, log the most recent co-ords on login, so if you're out in a city, it can show you users 'in your area'. IIRC Tinder did something like this...

  12. Anonymous Coward
    Anonymous Coward

    'Presumably ALM kept these details on file, even if you paid to delete your account, so it could get a picture of how old its users are, where they are from, what sort of person they are, and so on.'

    You should change 'to get a picture' into 'sell those data to anybody willingly to pay for them'.

    Again, in such business, you're always the product, never a customer.

  13. Matthew 17

    If they sue for $5m because of the data leak

    Aren't they then going to be sued by their soon to be ex-partners for the same $5m?

    1. macjules

      Re: If they sue for $5m because of the data leak

      +1 My thoughts exactly.

  14. Anonymous Coward
    Anonymous Coward

    Wait they stored turn on and open to data in pipe separated varchar columns?

    Bunch of fucktards.

    1. Anonymous Coward
      Anonymous Coward

      What do you expect from web developers? Many-to-many relationship are hard to query and code, what's better than parsing a string, and do some slow queries using string functions?

      And did somebody expect these people able to implement proper security? Looks another cheap job made by cheap devs to 'maximize shareholder value'.

    2. teebie

      and the turnons include "55 pipe 56". That is one busy party

    3. Anonymous Coward
      Anonymous Coward

      I posted this and I'm a web developer - what I think that you meant is Lazy/Useless web developers.

      Some of us know what we are doing....

      I suspect that AM spent next to nothing hiring developers for the site and they were either inexperienced which lead to the security issues and pipe separated varchars or they were getting paid so little they knew what they were doing and didnt care!

  15. Anonymous Coward
    Joke

    Silver-linings

    I'm sure that Cosmo' or similar could run these records thru' a headline generator and tell their readers how likely to stray their man is based on height/ weight etc.

    "....is your man under 5'2 and weighs over 200lb's? Relax, you've got a keeper!"

  16. macjules
    WTF?

    Status Value? DES_ENCRYPT?

    Status Value does not change. I would have expected that normally that would be the difference between 'published' or 'active' and 'unpublished' or 'inactive'.

    Surely *someone* could have just flicked over to MySQL and spent 5 minutes reading up on DES_ENCRYPT?

    No? Good luck with the lawsuit, I think you are going to need all the luck you can get.

  17. Anonymous Coward
    Anonymous Coward

    Looking at the remaining data, I have no problem with them retaining 90% of the data. Height, age, weight, etc. I can see how that would be useful for firmographics. I just don't know why they need to keep the town, longitude and latitude which can identify a person. (Especially in a small town.) And this is why they are culpable.

  18. Gis Bun

    One wonder why you have to pay to get your account removed. Facebook doesn't do it. Neither for Hotmail or Gmail. Wouldn't be surprised if Apple charged though.

    That said there are many fake accounts or where contact information which aren't valid. [And of course is valid for the dummies who were dumb enough to give real information.]

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like