Emails implicate Ashley Madison CTO in hack of rival dating website

'I got their entire user base,' Ashley Madison chief technology officer Raja Bhatia emailed his boss

Leaked emails from adultery dating website Ashley Madison implicate the company in the hacking of the user database of a rival website by the company's own chief technology officer (CTO).

The emails suggest that Ashley Madison CTO Raja Bhatia discovered a security glitch in nerve.com, a magazine website dedicated to relationships, which started up its own adult dating section.

But in an email dated 30 November 2012 that was sent by Bhatia to Ashley Madison CEO Noel Biderman, the CTO suggested that he had found a way of accessing nerve.com's entire user database - and could even manipulate user information on the website, according to security specialist Brian Krebs.

"They did a very lousy job building their platform. I got their entire user base," Bhatia told Biderman in the email. Bhatia included a link to a Github archive with a sample of the nerve.com database. "Also, I can turn any non-paying user into a paying user, vice versa, compose messages between users, check unread stats, etc," he wrote.

It is not clear, though, whether Bhatia was "penetration testing the rival", for whom Ashley Madison had considered a $20m takeover offer, or whether the data was downloaded and used in some way.

The emails also indicate a particular focus on security at the company in the months leading up to the revelations in July that Ashley Madison's owner, Avid Life Media, had been hacked.

One member of staff, Mark Steele, wrote in an email to Biderman on 25 May 2015 that the company's platform was "riddled" with cross-site scripting and cross-site request forgery vulnerabilities "which are relatively easy to find (for a security researcher)... other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging".

The breach was discovered only on the morning of 12 July 2015, after the hackers had enjoyed access for months, according to the police in Toronto, Canada, today. That was when staff arrived at work to be greeted with a message on their PCs when they logged in from "The Impact Team", the alleged hackers behind the attack, accompanied by the track Thunderstuck by AC/DC.

Belatedly, the company today offered a $500,000 reward for information leading to the arrest and prosecution of the hackers behind the attack - although whether the company will survive long enough to pay out is another matter.

Today, there were reports of suicides as a result of the data released last week by the hackers, while there have also been reports of extortion attempts by people and organisations that have trawled the data-dump email addresses and other identifying information.