When one or more as-yet-unknown hackers breached marital infidelity site Ashley Madison last month they threatened to out all the “cheating dirtbags” they could find – unless parent company Avid Life Media (ALM) shut it down along with its other hook-up sites Cougar Life and Established Men.
As those responsible for the attack threatened to drip feed real names, addresses, emails and sexual fantasies into the public domain, I imagined large numbers of people prepping elaborate excuses in case their unknowing partners ever found out what they were getting up to behind their backs.
But as time went by, and no details emerged, I sensed a collective sigh as millions of users exhaled a breath they’d held onto for far too long.
Alas, for them, their worst nightmare returned last night.
With a vengeance.
A huge file – just under 10 gigabytes in size – was made available via BitTorrent. While there is nothing in the file itself to confirm that it relates to Ashley Madison, some security researchers have provided anecdotal evidence which certainly points in that direction.
Security reporter Brian Krebs, who initially had showed some scepticism over the dump, now suggests it is genuine, publishing an update to his latest blog post in which he said:
I've now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database... I'm sure there are millions of AshleyMadison users who wish it weren't so, but there is every indication this dump is the real deal.
Contained within the file are email addresses, profile descriptions, postal addresses, GPS locations, sexual preferences and weight and height details. A separate file containing credit card transaction data – but not full payment card numbers or billing addresses – was also published.
According to a message included with the data, the Impact Team – the group allegedly behind the breach – says any consequences of the dump are on ALM, a group it says “failed you and lied to you.”
The Impact Team went on to suggest that affected users should prosecute the company and claim damages. It also made the following very valid point about the people who signed up for the service:
Chances are your man signed up on the world's biggest affair site, but never had one. He just tried to. If that distinction matters.
Of course that is a very simplistic assessment of the situation. Let’s not forget it’s not only men who have or seek affairs – women do too, though Rob Graham suggests far smaller numbers of women used Ashley Madison, at least according to the data at his disposal.
Also, just because someone’s email is in such a site’s database, it doesn’t mean they were ever looking to cheat in the first place – I’ve seen more than person claim they signed up for ‘research purposes’.
Likewise, let’s not forget the very real possibility that some of those people within the database may be victims of harassment. While revenge porn is attracting a lot of media attention these days, the signing up of exes to dating, hookup and escort websites is also a common form of retribution.
Additionally, the presence of an email address within Ashley Madison’s database does not offer concrete proof that the owner of that account ever signed up in the first place – the company didn’t validate emails, meaning anyone could sign another person up if they knew their email address.
Beyond the obvious potential damage to relationships, the dump also poses significant threats in other ways too – personally identifiable information could be used to commit identity theft or initiate convincing phishing schemes.
The good news is that Ashley Madison used bcrypt to salt-and-hash the stored passwords, making it tough even for the best-equipped crooks to try out much more than the most obvious passwords in any cracking attempt.
Of course, if you did choose an obvious password, then you may nevertheless be at risk – change it quickly, and don’t pick easily-guessed passwords again!
Here’s how you can pick and then store a strong one:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
For its part, Ashley Madison says it has bolstered its security (too little, too late, methinks) and is continuing to investigate the breach. In an email sent to Ars Technica, Avid Life Media appealed for help in catching those responsible:
We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster. Anyone with information that can lead to the identification, arrest, and conviction of these criminals, can contact firstname.lastname@example.org.
As for you, your next move may be to discover whether your details – whether submitted by you or someone else – have been leaked.
To that end, security researcher Troy Hunt is currently in the process of adding all available data to haveibeenpwned.com, a site that can check your email address to see if it has been associated with a data breach.
Due to the sensitive nature of this particular attack, Hunt notes that he will not be making the list of email addresses publicly searchable so you’ll need to be a verified subscriber (a free service).