A month after the adultery-dating website AshleyMadison.com (registered motto: “Life is short. Have an affair.®”) admitted that hackers had managed to breach its database, those hackers have apparently made all of the stolen data available online.
Ashley Madison is owned by Avid Life Media, which also owns other hookup sites, including Established Men and Cougar Life. The hacker or hackers behind the breach self-identify as The Impact Team. At the time of the original breach, The Impact Team threatened to release all of the information it stole unless the site was taken down. And now, it appears that they have made good on that threat.
As Wired first reported last night, yesterday somebody hiding behind anonymizing software and browsers posted 9.7 gigabytes of apparent Ashley Madison data to the dark web. “The files appear to include account details and log-ins for some 32 million users of the social networking site, touted as the premier site for married individuals seeking partners for affairs. Seven years worth of credit card and other payment transaction details are also part of the dump, going back to 2007 [including] names, street address, email address and amount paid, but not credit card numbers.”
At the time of the breach, AshleyMadison.com claimed to have almost 40 million members in all.
According to its own statements, The Impact Team's main complaint with Ashley Madison isn't the fact that the website promotes or facilitates adultery, but that it allegedly lied to its clients. Specifically, people with dating profiles on Ashley Madison were also offered the chance to pay $19 for a “full delete” function – basically scrubbing their complete profile and activity history from the site.
The Impact Team claimed to have discovered proof that the “full delete” service was a lie, and the information never completely deleted from the database. (Granted, there's arguably some inherent contradictions in The Impact Team's claimed motivation “We dislike the fact that this website harmed its clients, so we're punishing the website by releasing data that will harm its clients.”)
Ashley Madison executives did not take the website down and so yesterday, according to Wired, somebody released an alleged data dump, preceded by an introduction saying, in part, that:
Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.
Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world's biggest affair site, but never had one. He just tried to. If that distinction matters....
Of course, there are other possibilities explaining how and why someone might apparently have a profile on the website. For starters, Ashley Madison doesn’t verify members' emails – you can register with any address, not merely your own. So, for example: although someone did apparently register there with the email address firstname.lastname@example.org, this does not prove that a certain recent former Prime Minister of the United Kingdom ever actually joined the site. The same holds true for the over 15,000 U.S. government or military email addresses found thus far, or the many teachers and professors whose current or former .edu addresses appear in the data dump (and it's easy to imagine students using their teachers' email addresses for joke registrations, in a more risque version of the old “Let's have a dozen takeout pizzas sent to Teacher's house” prank).
As computer security expert Graham Cluley pointed out on his blog (bold print lifted from the original):
…. being a member of a dating site, even a somewhat seedy one like Ashley Madison, is no evidence that you have cheated on your partner.
You might have joined the site years before when you were single and be shocked that they still have your details in their database, or you might have joined the site out of curiosity or for a laugh... never seriously planning to take things any further.
But more importantly than all of that, if your email address is in the Ashley Madison database it means nothing. The owner of that email address may never have even visited the Ashley Madison site....
Potential to ruin lives
This is especially important to remember because, as Cluley also says: “Others might find the thought that their membership of the site - even if they never met anyone in real life, and never had an affair - too much to bear, and there could be genuine casualties as a result. And yes, I mean suicide.”
This does indeed have the potential to ruin millions of people's lives — and not merely people who somehow “deserve” it, either.
After learning of the stolen data release, Avid Life Media released a statement saying that “Our investigation is still ongoing and we are simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation. … This event is not an act of hacktivism, it is an act of criminality. … We know that there are people out there who know one or more of these individuals, and we invite them to come forward. ... Anyone with information that can lead to the identification, arrest and conviction of these criminals, can contact [email protected].”