The fallout emanating from the Ashley Madison data hack just can’t seem to end. Three weeks after hackers released upwards of 25 gigabytes of stolen company files, including identifiable customer information, former Ashley Madison CTO Raja Bhatia is now suing security researcher Brian Krebs for libel. Krebs, in case you’re unfamiliar, brought some old and private emails involving Bhatia to light just a few weeks ago.

In an article from Krebs titled “Leaked Ashley Madison emails suggest execs hacked competitors”, Krebs published emails that Bhatia sent to Ashley Madison CEO Noel Biderman wherein the former CTO boasted of being able to bypass the site security of, what was then, a growing and competing site called Nerve.com.

DON’T MISS: iPhone 6s: The 9 best new features

According to the leaked emails made public by Krebs, Bhatia wrote the following to Biderman in 2012:

They did a very lousy job building their platform. I got their entire user base. Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.

Following Krebs’ report, Bhatia wrote to him and demanded a retraction. Specifically, Bhatia took umbrage with the allegation that he hacked into Nerve.com. On the contrary, Bhatia claims that he merely observed some critical security vulnerabilities on the site and relayed his findings over to Biderman.

The complaint reads in part:

Contrary to the express statement in the article’s title and the suggestion in its body, Mr. Bhatia did not “hack” Nerve.com. Rather, he noticed a readily apparent security gap and remarked on it to Noel Biderman, Ashley Madison’s CEO, with whom he happened to speak shortly thereafter. At no time did Mr. Bhatia attempt to bypass Nerve.com’s security or to exploit its gap in any way. He did not bulk exfiltrate this data or attempt to alter it, as implied by the selective quotes from his emails included
in your post. To the contrary, Mr. Bhatia expressly stated that he would not do so in the email sequence referred to in the article, a point omitted from your report.

For what it’s worth, Krebs notes that he has absolutely no intention of issuing a retraction or even “correcting any elements” of his story.

It’s also worth noting that Bhatia, at the time the emails were sent, was no longer the Ashley Madison’s CTO, having had left the company a few years earlier.

As a final point, the people or persons responsible for the Ashley Madison data breach haven’t yet been identified, though Brian Krebs believes that he may have zeroed in on one potential suspect who, on Twitter at least, goes by the name of Thadeus Zu.

View Comments