The hackers who threatened to publish the stolen personal data of millions of AshleyMadison.com users followed through on their threat Tuesday night — and the leaked material appears to be genuine.
In July, a hacktivist group calling itself the Impact Team stole the trove of information and called on Avid Life Media (ALM), Ashley Madison's Toronto-based parent company, to take down that site as well as EstablishedMen.com, a dating site that pairs older men with younger women. The group soon outed an Ontario registrant and another who lived in Massachusetts to show that it wasn't bluffing.
The hackers said the motivation for the break-in was due to ALM's dubious privacy policies and questionable business practices. They released a manifesto that called the company's "full delete" feature a profitable scam, accusing the company of keeping the purchase details, real names, and addresses of customers after they had paid to have their information erased.
"Full Delete netted ALM $1.7 million in revenue in 2014," the manifesto read. "It's also a complete lie."
ALM didn't back down, so last night the hackers posted 9.7 gigabytes of personal data from the notorious marital cheating site that reportedly included information from those who had signed up for Established Men.
"Avid Life Media has failed to take down Ashley Madison and Established Men," read a statement from the hackers announcing the dump. "We have explained the fraud, deceit, and the stupidity of ALM and their members. Now everyone gets to see their data."
The trove of information includes email and street addresses, partial credit card numbers and transaction details, passwords, physical descriptions, and other personal details of some 37 million Ashley Madison users. Early analysis of the material by Wired shows that it involves more than 15,000 emails registered to military or government servers.
Dozens of online dumps have appeared daily claiming to be of the Ashley Madison database since the hackers issued their threat, but this latest one is the first to be found authentic.
"I'm sure there are millions of Ashley Madison users who wish it weren't so," wrote the cyber security blogger Brian Krebs, who first reported the hack, "but there is every indication this dump is the real deal." Krebs spoke with three sources who confirmed that their details were among the data.
Questions quickly arose about whether all the identities of the leak are real, since Ashley Madison does not verify the identity of the emails for new accounts and many of its users are said to operate under assumed names or identities. As the security expert Per Thorsheim pointed out soon after the hack was announced, "anyone can create an account using your email and get started using it, no account verification needed."
"Glancing through the data, it appears that a lot of the accounts are bogus," wrote the security expert and blogger Robert Graham. "Obviously made up things for people who just want to look at the site without creating a 'real' account."
ALM was initially ambiguous about whether Tuesday's dump was authentic.
"We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort," it said in a statement released yesterday.
A spokesperson for ALM told Reuters today that some of the data appeared to be legitimate, although he denied that the company stored credit card information on its servers. The company had earlier called the breach an act of "cyber-terrorism," and promised to hold the hackers accountable.
"Shutting down [AshleyMadison] and EM will cost you, but non-compliance will cost you more," read Impact Team's statement announcing the hack in July. "We will release all customer records, profiles with all the customers' secret sexual fantasies, nude pictures and conversations and matching credit card transactions, real names and addresses, and employee documents and emails. Avid Life Media will be liable for fraud and extreme harm to millions of users."
The release of Ashley Madison's user information has potentially dire consequences for those who thought their information was private. A gay Saudi Arabian user posted on Reddit last month that he could get stoned to death if people found out he had used the site for homosexual relations.
"I haven't been on the site in a long, long time," the Ontario man, who lives in Mississauga, told theToronto Sun after his info was released late last month. He claimed that he never actually used it to cheat on his wife of 20 years. "It is a stupid (website). You go just to see what is out there. It was pretty much a waste of time... to join."
The man said that he had paid $19 to have his personal data erased from the site, and was utterly shocked when his name was released by the Impact Team to illustrate that it really had the info it claimed to have stolen. It appeared that the company had evidently kept his information in some form despite his having paid for its "full delete" service.
The Ashley Madison site has long been a source of controversy for its blatant promotion of adultery. Given its business model — discretely facilitating affairs among married people — the site's data is particularly sensitive.