Ashley Madison hackers leave footprints that may help investigators

http://arstechnica.com/security/2015/08/ashley-madison-hackers-leave-footprints-that-may-help-investigators/

The people who leaked more than 200,000 e-mails from the Ashley Madison dating service for cheaters left behind footprints that will almost certainly be of interest to police and company officials.

The BitTorrent file containing e-mail for Noel Biderman, the CEO of Ashley Madison parent company Avid Life Media, was originally uploaded by someone using a server operated by Ecatel Ltd., a web host headquartered in the Netherlands. A Web interface for administering the BitTorrent server was left exposed to the Internet without a password, making it possible for outsiders to access. A few hours after the BitTorrent went live, the server went dark after an outsider accessed the wide-open interface and began making changes to the server configuration. The above screenshot, published by a Twitter user calling himself Mr. Green, is just one example of such an outside access.

"Somehow, the person(s) setting up the original uploading (=seeding) of the file forgot to password protect the Web interface, or turn the feature off," Per Thorsheim, an independent security researcher in Bergen, Norway, told Ars. "I suspect [the hackers] used the Web interface to administer the various uploads of the leaks using BitTorrent."

The box seeding the torrent was located at 94.102.63.121. Police and private investigators working feverishly to identify the people who hacked Ashley Madison and published user profiles, transactions, credit-card data, and a wide range of other sensitive data will almost certainly try to perform a forensic analysis of the physical server. They are also sure to check how the server was accessed. If the hackers didn't use Tor or a similar anonymity service, the investigators may be able to collect clues from the IP address used to log in to the box.