Raja Bhatia was the original CTO of Avid Media, Ashley Madison's parent company; in an email to Avid CEO Noel Biderman in the latest Ashley Madison dump, he hacked the back-end of Nerve, a competing dating site.
He describes Nerve's security as poor. He says he exfiltrated its entire database, and that he had the power to alter its customers' records: "Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc." He also admits that Ashley Madison's security is poor, and that its users' passwords were stored unencrypted.
He asked Avid's PR team to get him in the media to discuss the hack of Grindr, another dating site.
Six months later, in May 2013, Biderman discussed whether he should disclose the vulnerability to Nerve.com.
"Should I tell them of their security hole?" he wrote Bhatia. There is no apparent response among the leaked emails.
Although the emails discuss setting up a phone call with Nerve.com, it's not clear if ALM did disclose the vulnerability.
Neither Avid Life Media nor Bhatia responded to a request for comment from WIRED.
Ashley Madison Leak Reveals Its Ex-CTO Hacked Competing Site [Kim Zetter/Wired]