Ashley Madison hackers allegedly just released all the stolen user data

A whole lot of people are about to have a very bad night.

Nearly 10 gigabytes worth of data stolen from Ashley Madison, the leading online dating site for adulterers, has reportedly been posted on the Dark Net.

The Daily Dot is currently working to verify the authenticity of the files and the user data they purportedly contain.

If the data is authentic—according to multiple security experts, it is legitimate—this could be the promised follow through after a headline-grabbing hack of the website took place last month by a group of hackers calling themselves Impact Team. The hackers said the breach of the site came in response to what they describe as dishonest business practices by Ashley Madison and its parent company, Avid Life Media.

Release of the data may mean that more than 36 million members in 46 countries stand to have personal information revealed to the public. The data reportedly includes credit card info, login credentials, and of course, the intimate details of their possible affairs.

In some countries, adultery is more than embarrassing—it’s illegal, and exposed Ashley Madison users are at risk of criminal charges. Blackmailers, divorce attorneys, and others may profit off the data as well.

It will likely be difficult or impossible to verify all the data, however. Reports are already circulating that the files include individuals from the U.K. government as well as world-famous people, like former British Prime Minister Tony Blair. 

There’s no reason to believe Blair is actually on the site because anyone can create an account using names and email addresses from other individuals.

Even if the files are somehow verified, many argue that actually publicizing the details is the wrong move.

“It’s not up to a group of hackers—or the public—to dictate how these users’ relationships pan out, let alone force the issue of alleged cheating,” The Daily Dot’s Derrick Clifton argued. “Even if there’s one name on the list that belongs to someone we know, the manner in which we learn about their sexual behaviors matters as much as the act itself.”

Update 10:10pm CT, Aug. 18: Everyone from cybersecurity experts, journalists, and 4chan users have begun digging into the released data trove, only to leave more questions than answers. 

While some claim to have confirmed that certain leaked data belonged to legitimate Ashley Madison users, the journalist who broke the story of the site’s data breach, Brian Krebs, reports that Ashley Madison’s security experts have not yet confirmed the data’s authenticity.

Raja Bhatia, Ashley Madison’s chief technology officer, told Krebs that his team of devoted investigators has reviewed more than 100GB of data purporting to be from the site’s databases. Little of it, Bhatia said, has proved legitimate. 

“The overwhelming amount of data released in the last three weeks is fake data,” Bhatia said.

Bhatia specifically points to the fact that the leaked data contains credit card transaction information—a detail the Daily Dot has confirmed—that Ashley Madison allegedly does not store on its servers. 

“There’s definitely not credit card information, because we don’t store that,” Bhatia said. “We use transaction IDs, just like every other PCI-compliant merchant processor. If there is full credit card data in a dump, it’s not from us, because we don’t even have that.”

In a statement, Ashley Madison acknowledged the data dump, but neither confirmed nor denied whether the information came from its servers. The company further iterated that the hack, which is not in question, was “an act of criminality.” 

Update 7:30am CT, Aug. 19: The leak is likely legitimate, reports Ars Technica, citing findings by multiple cybersecurity researchers. 

Researcher Dave Kennedy found that the documents contain more than just user data; internal company documents, company PayPal account information, and much more is now out in the open.

Kennedy writes in a blog post:

This included a full domain dump of corporate passwords (NTLM hashes) of the Windows domain of the company, PayPal accounts and passwords for the company, internal only documents, and a ton more. The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more. This is much more problematic as its not just a database dump, this is a full scale compromise of the entire company’s infrastructure including Windows domain and more.

So far, it looks like around 33 million usernames, first names, last names, street addresses, and more are impacted by this breach.

Robert Graham, CEO of Errata Security, also says that the files are likely legitimate and that multiple people have confirmed to him that their information was included in the dump.

To cap it all off, Brian Krebs, cited above for calling the legitimacy of the leak into question, now believes that the documents and data included in the dump are almost certainly real. 

In an update added to the blog post cited in our first update, he writes:

I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.

H/T Wired | Image via Ashley Madison | Remix by Fernando Alfonso III

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.