Infidelity website Ashley Madison has pledged to continue operations after hackers leaked its customer database online.
The Impact Team, which claimed responsibility for the hack on Ashley Madison and sister site Established Men, have made good on their threat to publish compromising information on millions of people.
Around 9.7 GB of customer data were released on a dark web (.onion) site on Tuesday night. This information included sexual preferences, (stated) weight, addresses, GPS locations, card payment histories, phone numbers, dates of birth and more. More than 36 million names featured in the leak, which has already become available through BitTorrent.
More than 90 per cent of the accounts belong to men. AshleyMadison.com did not verify email signups to the site, as password security expert Per Thorsheim previously established, so we can't assume owners of the 36 million email addresses exposed by the leak all signed up to the extra-marital sex hookup site. Anyone whose email address did turn up will nonetheless have a lot of explaining to their partners in store.
The data appears legit, because examples of throw-away email addresses used only on the site have turned up on the dump, among other factors. The depth and breadth of the leak is, if anything, worse than feared when the original news of the breach broke last month.
Luke Brown, Vice President at Digital Guardian, commented: “If ALM [Avid Life Media] were trying to call The Impact Team’s bluff then it seems to have backfired pretty spectacularly. While the data has only been released on the dark web for now, it will inevitably find its way into more mainstream channels over time, resulting in very public naming and shaming for Ashley Madison’s members.
“Perhaps even more embarrassing for ALM and Ashley Madison is the disclosure of the fact that a significant proportion of users on the site are fake, bringing into question the credibility of the website as a whole,” he added.
In a statement supplied to El Reg, Avid Life Media decried the actions of criminal hackers, adding that it intends to continue with its controversial business.
The individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.
This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society.
ALM added that it has hired independent forensic experts and other security professionals to “assist with determining the origin, nature, and scope of this attack.” Several police agencies – including the Royal Canadian Mounted Police, the Ontario Provincial Police, and the US Federal Bureau of Investigation – have launched investigations into the attack.
Dr Chenxi Wang, VP of cloud security & strategy at CipherCloud, criticized ALM for not drawing down the shutters on the site.
“Ashley Madison should have halted operations rather than betray the confidentiality of millions of customers,” she said. “The hackers rightly pointed out that parent company ALM failed to protect customers, the bottom line for doing business. 9.7 gigabytes is a lot of customer names, credit cards and intimate details about individuals.
“The real victim is not Ashley Madison, it is the customers and their families, who are forced to suffer humiliation and pain. They could have been spared if Ashley Madison had done the tough but right thing. But maybe we should not be surprised – trust is not the strong suit for a company that makes its money by encouraging people to lie and cheat,” she concluded. ®