Controversial cheating website Ashley Madison has been slapped down by regulators in Canada and Australia for poor security following its now infamous hacking in 2015.

A joint investigation by the offices of the Australian and Canadian privacy commissioners found that that the service had inadequate safeguards in place, including poor password management and a fabricated security trustmark on the website’s home page.

The report detailed an appalling lack of security that included, among other things, the company storing its VPN password on Google Drive, making it extremely easy to access via any employee’s machine. Passwords were stored as plain text on the company’s servers including in emails (they actually sent out emails with passwords in them) and text files.

Encryption keys were also stored in plain text, along with a server being found with an SSH key that was not password protected, allowing an attacker to access the server without even needing a password to begin with.

Deception

On the privacy and advertised security front, the report found that the trustmarks on the front page of the site, including one that had an icon that was labeled “trusted security award,” suggesting that the site was secure, were fabricated by the company itself.

As previously discovered following the hack, the report confirmed that Ashley Madison inappropriately retained personal information of users who had paid to delete their accounts, but perhaps more bizarrely that the databases released in the hack included information of people who have never signed up for the service at all.

“Privacy breaches are a core risk for any organization with a business model based on the collection and use of personal information,” Canada’s privacy commissioner Daniel Therrien said in a statement. “Where data is highly sensitive and attractive to criminals, the risk is even greater. Handling huge amounts of this kind of personal information without a comprehensive information security plan is unacceptable.”

The report made a number of recommendations which Ruby Corp., the company formerly known as Avid Life Media and owners on Ashley Madison, agreed to implement, including reviewing protections of personal information, advising staff of security procedures, stopping retention of information from deactivated accounts and no longer charging users to delete their information.

An investigation by the U.S. Federal Trade Commission (FTC) into the breach remains ongoing.

Image credit: Ashley Madison.