One month ago, tens of millions of men (and a few million women) were shocked to learn that as clients of cheating website Ashley Madison, whose motto is "Life is short. Have an affair", all their supposedly confidential information including names, email addresses, credit card data, personal profiles and virtually everything else, had been hacked by a group calling itself the Impact Team, which threatened release of all the client information unless Ashley Madison shuts down. There was some hope that the hackers were merely posturing or bluffing, but to the utter horror of Ashley Madison's 37 million customers - and to the sheer delight of millions of divorce attorney around the globe - last night the Impact Team did just as it threatened it would, and released a data dump with all the data in the form of a 9.7GB torrent.
The hackers' demands was simple: take Ashley Madison and Established Men offline permanently in all forms, "or it would release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails."
However, Avid Life Media, with visions of a lucrative Ashley Madison IPO still dancing in its head, decided to ignore the threats.
In retrospect this may have been a wrong move when last night, the Ashley Madison data trove made its way from the dark web where it had been circulating for the past month, to Bit Torrent, making the data available for the entire world.
The statement from Impact Team to Avid Life Media and Ashley Madison users was as follows:
Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.
Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world's biggest affair site, but never had one. He just tried to. If that distinction matters.
Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you'll get over it.
Ashley Madison's owners promptly responded with a statement of their own late Tuesday, condemning the cyberattack and saying they are “actively monitoring and investigating this situation” while cooperating with law-enforcement authorities in the U.S. and Canada, where the company is headquartered. "This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the statement reads. “We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world."
There were other amusing tangents:
We have attempted to verify that the people that appear in the records are actually Ashley Madison customers, reaching out to a dozen of them by phone, email and Facebook. Unsurprisingly, the people we’ve reached have not been eager to chat. After reviewing a file with Ashley Madison accounts that included names, sexual preferences, addresses and phone numbers, we called every number. Only one number worked, and it was for a woman who turned out to be the wife of Ashley Madison’s original founder, Darren Morgenson, who sold the company to Avid Life Media years ago. Morgenson said the spreadsheet dated back to the company’s early days and was essentially a list of dummy accounts that employees had used for “quality control and market research” on the site.
In any event, by this point the damage was done.
There was some hope among the dejected users that the data released was fake however as Bloomberg reports, "the data dump appears to be “legit” and includes full names, e-mail addresses, partial credit card data and dating preferences, according to Robert Graham, chief executive officer of Errata Security, a researcher in Atlanta."
Internet security website Krebs on Security confirms as much:
I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.
So with confirmation of the data's legitimacy out of the way, the next and only question is who is on the list, and how credible is it.
Recall that, as Wired notes, the data released by the hackers includes names, addresses and phone numbers submitted by users of the site, though it’s unclear if members provided legitimate details. A sampling of the data indicates that users likely provided random numbers and addresses, but files containing credit card transactions will yield real names and addresses, unless members of the site used anonymous pre-paid cards.
Wired further adds that according to one analysis of email addresses found in the data dump also shows that some 15,000 are .mil. or .gov addresses.
Further user-level details posted on the 8ch.net website, reveal numerous users who used their employer-given email address to register at the cheating website, likely in refutation of corporate guidelines, which likely means that many former Ashley Madison users now have professional problems to look forward to in addition to the potential personal humiliation of being exposed. Among the alleged users uncovered include many JPMorgan, Bank of America, blue chip and government employees including some such as this one:
— zerohedge (@zerohedge) August 18, 2015
Then again, it’s important to note that Ashley Madison’s sign-up process does not require verification of an email address to set up an account, so legitimate addresses might have been hijacked and used by some members of the site.
Which brings us to the final question: just who is on the list. Early attempts to parse the full data, and present it in an easily searchable database have so far been unsuccessful, which is why those AM users concerned about the embarrassment of seeing their data appear on the internet, are urged to go straight to the source and find out whether they have been compromised there. This can be accomplished by going to the ImpactTeam's torrent website where one can find the data in one of two places: here and here.
And, for the naive ones, one way is simply to put their email into the following database. It is unclear what the result will be except for indirectly admitting guilt and putting one's email in yet another database which can be used and abused by unknown people for their own ulterior motives. We would not recommend it.