Hackers at the Impact Team have apparently carried out their threat to publish the customer databases of Ashley Madison – a hookup website designed for those who want to cheat on their partners.
In July, the hackers announced that they had successfully scraped the servers of Ashley Madison, and its sister site Established Men, which looks to connect well-off gentlemen and women who are looking for sugar daddies. Curiously the CougarLife website, aimed at hooking up young men with older women and owned by Ashley Madison's parent, was untouched.
The miscreants wanted Ashley Madison and Established Men dismantled by their parent Avid Life Media, or they would go public with the swiped records. Now, they claim, time's up.
"Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data," the hackers said in a statement announcing the availability of the sensitive information as a torrent.
"Find someone you know in here? 90 to 95 per cent of [Ashley Madison] users are male. Chances are your man signed up on the world's biggest affair site, but never had one. He just tried to. If that distinction matters.
"Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you'll get over it."
Some 33 million accounts potentially stuffed full of compromising information have been leaked, we're told. That's 32 million unique email addresses, including thousands of US government and military addresses. Names, home addresses, phone numbers, relationship statuses, personal habits, credit-card transaction logs, and even some credit card numbers have been found in the databases, it's claimed.
Not all real?
The hackers do say that just because someone's email address is in the files doesn't necessarily mean that they had an affair, merely that they may have been trying to. There's also the very real possibility that the email addresses may not be real – because the website did not validate people's email addresses, apparently.
"I could have created an account at Ashley Madison with the address of firstname.lastname@example.org, but it wouldn't have meant that Obama was a user of the site," said security blogger Graham Cluley.
"Journalists and commentators would be wise to remember that the credentials stored by Ashley Madison must be considered suspect because of their shonky practices, even before you start considering whether any leaked databases are falsified or not."
El Reg is still working to ascertain if the 9.6GB database dump distributed via the dark web is the real deal (we have a fiber connection, but there aren't many seeders about). Chatter from those who claim to have got the whole archive indicates that it's legit. The passwords appear to have been hashed using bcrypt.
"We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort," Avid Life Media said in a statement
"This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society."
Raja Bhatia, Ashley Madison's founding CTO who today consults for the website's team, is not convinced this leak is real. He told investigative journo Brian Krebs this evening that the site does not store credit card numbers. "If there is full credit card data in a dump, it’s not from us, because we don’t even have that," Bhatia added. ®