UPDATE August 19, 2015 – As I predicted, there are now web sites which allow you to search the Ashley Madison data. Check this Wired article for links:
The hackers who broke into the Ashley Madison web site last month threatened to make the data that they stole public if Ashley Madison’s parent company did not shut the site down. Well, they didn’t and the hackers did.
Today about 10 gigabytes of data, representing over 30 million customers, was dumped on the dark web for anyone who cares to look to see. Researchers and gawkers are downloading the data furiously. A directory listing of some of the files was posted on Ars technica and reproduced below.
Ashley Madison’s parent company has not confirmed that the data is theirs, but they also haven’t denied it. Here is how the hackers explained what they were doing:
The data includes emails, profiles, credit card information and other data. While the passwords were included, the encryption algorithm that they used (bcrypt) makes it computationally intensive to brute force crack millions of passwords. This doesn’t mean that people won’t try, but it does mean that it will be hard.
Still, there is other identifying information – credit card information and email addresses. I am sure some people used burner cards and email addresses, but there have already been 15,000 .mil and .gov addresses found. Really. You use your government email address at a site like Ashley Madison? Interesting, but not too smart.
Ashley Madison attempted to use all sorts of laws to take down the data when the hack first happened, but the way the hackers dumped this data (via TOR) means that there are likely hundreds if not thousands of copies floating around the internet already. Not to mention that many people have likely downloaded it to their own computers.
Ashley Madison is putting on a brave face by saying that they will continue to put forth “substantial effort” to remove any information posted. That likely might work with some traditional news sites – who probably would not post the data anyway – but it will be totally ineffective on the dark web.
Just like Ashley Madison is not based in the U.S. making it outside the reach of many U.S. laws, many of the dark web sites are based in countries you would say are not too friendly towards the west. What do you think Putin would say if Ashley Madison sent a Russian web site a take down notice? After he got up from the floor where he fell down laughing, he might use it to light one of his cigars.
Sorry boys, the cat is out of the bag.
Probably, a lot of the data is made up – supposedly most of the women on the site are fictitious; most of the people looking for extra marital affairs are apparently guys. There was no verification of the data customers provided – I assume on purpose – so if I wanted to call my self Sam Spade, I could as long as that name wasn’t already taken. To prove that point, Tony Blair’s name was in the dump and I suspect the former prime minister was not a customer.
The part of the data that can be validated could be used by divorce attorneys and blackmailers.
Now let’s forget, for the moment, that this is Ashley Madison and people might say that the business is sleazy and people who use it got what they deserved.
Let’s say that this was your company and your customer data, credit card transactions, customer profiles, names and addresses were leaked. What would the impact be on your business? Do you have a plan for dealing with that situation?
No company has zero enemies. Not even Mickey Mouse and Donald Duck. That means that someone might be out to get you. Could be a customer, employee, supplier, contractor or someone completely unrelated to the company.
Avid Life Media is privately held and not U.S. based, so it is highly unlikely that we will find out what the financial impact is on the company, but I can’t imagine that anyone is signing up for their service.
By way of example, two years after the Target breach, it appears that Target and Visa kissed and made up in exchange for a $67 million check and the agreement that individual banks can still sue Target. Right now, the cost of the breach is above $200 million, after insurance and it is far from over. They will still be dealing with it for years to come and when I mention Target to average people, the general response is that they avoid shopping there.
Information for this post came from Ars Technica and Wired.