For a short time, Ashley Madison's homepage was replaced with a message notifying users of the hack. That text linked to a small sample of the leaked data, and a graphic that cleverly mashed up Ashley Madison's signature "lady going shhh" stock photo, with what appeared to be a screengrab from the head explosion scene from the movie Scanners.
This potentially compromises the privacy of users across 46 countries, according to Ashley Madison's parent company, Avid Life Media, Inc. The counter graphic on Ashleymadison.com lists "Over 37,765,000 anonymous members!" as of this writing, so presumably the number of possible victims is somewhere in that neighborhood, give or take a few million spam profiles.
The hackers also left something of a manifesto on the front page, threatening Ashley Madison as well as Established Men, another site owned by Avid Life Media designed to match rich men with hot young women. It read: "Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers' secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online."
The nature of the threat—the possibility of publicizing sensitive user data—is ironic, given one of the hackers' grievances with Ashley Madison: their expensive, and allegedly ineffectual, "full delete" feature. "Full Delete netted ALM $1.7mm in revenue in 2014. It's also a complete lie," the manifesto said, according to security blogger Brian Krebs, who broke the story. "Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."
ALM, for its part, released a statement yesterday saying their full delete feature worked just fine: "Contrary to current media reports, and based on accusations posted online by a cyber criminal, the 'paid-delete' option offered by AshleyMadison.com does in fact remove all information related to a member's profile and communications activity."
The data initially released by Impact Team included just a small sample of user information, along with technical specifications for the company's servers, and information about some of the employees at ALM. The links posted by the hackers were removed within about 30 minutes of the emergence of the breach, and the site has now been—at least on its face—restored to normal functionality.
ALM's statement yesterday claimed that the company was already "able to secure our sites, and close the unauthorized access points." Still, the majority of all user data is currently in limbo. What little information was published elsewhere has already—at least theoretically—been removed, thanks to some creative application of the Digital Millennium Copyright Act.
The DMCA is famously employed approximately a zillion times a day to make YouTube take down copyright-infringing clips. According to ALM, similar scary takedown requests have just been distributed, and that should keep most of the really juicy gossip about users hidden for the time being. However, that might not last, since as Parker Higgins of the Electronic Frontier Foundation told Fusion, "They don't have a copyright on what they're sending notices about."
So while the DMCA effort may have scrubbed away all that published data for now, two unlucky users—one in Ontario, Canada, and one in Massachusetts—have nonetheless been exposed, according to The Guardian. That full delete option the hackers were so worried about has had the price lowered to "free," for what it's worth, but presumably that doesn't help if your data is already on a hacker's hard drive.
In other words, the barn door is closed, but the horse is already in Tahiti sipping mai tais.
No one knows what's going to happen next. It's anyone's guess as to whether users will be individually blackmailed. Blackmail is not part of the hackers' publicized plan, but experts believe that a bit of extortion nonetheless looks likely.
Users in the UK probably have grounds for a lawsuit if they'd like to file one, since a 1998 law on the books demands serious data secrecy for British internet users. Meanwhile, in the US, privacy laws are significantly more lax.
There's no point in worrying, since the leak has already happened and nothing you can do will change that. If you've used your real name (or if the leak includes billing addresses), and if the data is published and if you have a suspicious [significant other], then I think there's a chance that you might be found out.
If you're an Ashley Madison adulterer, you may be able to derive some small comfort thanks to a helpful website called HaveIBeenPwned.com.
There you'll find a searchable database of personal data leaks, including the similar Adult Friend Finder leak that happened in May of this year. Presumably, adulterers will be checking in with HaveIBeenPwned from time to time while this story is in the news. If there's no big publicized leak, then they'll go back and check again periodically. Maybe for the rest of their lives.
In other news, ALM was in the process of raising $200 million in the hopes of becoming a publicly traded company. According to Marketwatch, 70 percent of ALM's revenue came from Ashley Madison, and now that this hack has given lie to the one thing that kept Ashley Madison in business—privacy—experts say we aren't likely to see that IPO anytime soon.
Follow Mike Pearl on Twitter.