[ISN] Credentials stored in Ashley Madison’s source code might have helped attackers

http://www.computerworld.com/article/2981553/security/credentials-stored-in-ashley-madisons-source-code-might-have-helped-attackers.html By Lucian Constantin IDG News Service Sept 8, 2015 If you’re a company that makes its own websites and applications, make sure your developers don’t do what the Ashley Madison coders did: store sensitive credentials like database passwords, API secrets, authentication tokens or SSL private keys in source code repositories. Judging by the massive amount of data leaked last month by Impact Team from AshleyMadison.com’s owner Avid Life Media (ALM), the hackers gained extensive access to the Canadian company’s IT infrastructure. The ALM data dumps contained customer records and transaction details from the Ashley Madison infidelity website, but also the email database of the company’s now-former CEO and the source code for the company’s other online dating websites including CougarLife.com and EstablishedMen.com. A London-based security consultant named Gabor Szathmari has found evidence that ALM’s developers were careless with sensitive credentials, which might have helped attackers once they gained a foothold on the company’s network. […]