Welp, here we are. Thirty days days after a group called Impact Team breached the infidelity site Ashley Madison and threatened to reveal its users, the hackers appear to have made good on their promise. On Tuesday evening the group posted a 9.7-gigabyte file on the dark Web that looks like it contains names, login information, and personal details for more than 30 million Ashley Madison users.
The inevitable next step is for everyone to start looking up their significant others, family members, and friends. For those who know they will be on the list, it's damage-control time. An email address for former United Kingdom Prime Minister Tony Blair is in the data dump, and CSO reports that there are 15,019 accounts linked to .mil and .gov email addresses in the data. Gawker reporter Sam Biddle came forward right away about his presence in the data.
it’s definitely real, I made an account on AM once when I was covering online dating stuff for gizmodo and my email is in there— Sam Biddle (@samfbiddle) August 19, 2015
As Brian Krebs, of Krebs on Security, and others pointed out, though, Ashley Madison didn't verify email addresses, so anyone could sign up with any address or sign people up as a joke. (Maybe it's OK, Cherie Blair!) People may also have intentionally faked the "personal information" on their accounts to cover their tracks long before the breach. On the question of whether the leaked data set is valid and actually came from Ashley Madison's servers, Krebs wrote, "I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal." He cited sources who showed up in the leak with accurate credit card information, as well as the 30-days-later timing as some of the reasons he believes the the leak is legit.
In a statement, Avid Life Media Inc., which owns Ashley Madison, was vague about whether the released user data is real. The company wrote:
We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.
Kim Zetter notes on Wired that Ashley Madison's security actually had some things going for it, because the passwords released in the leak are hashed with the bcrypt algorithm. Though Internet denizens will probably still be able to crack many of the passwords, the fact that they are encrypted at all is a step up from a lot of data breaches where passwords were simply exposed in plain text. Robert Graham, the CEO of security company Erratasec, told Wired, “We’re so used to seeing cleartext and MD5 hashes. ... It’s refreshing to see bcrypt actually being used.”
The Impact Team had originally said that it would leak the data if Avid Life Media didn't take down Ashley Madison and another site called EstablishedMen. The company kept both services running. The hackers object to both the moral stance of the Avid Life Media services, and to the company's implementation of a “Full Delete” data feature, which the hackers said didn't actually remove personal data from the company's servers. In a message released on Tuesday along with the data dump, Impact Team wrote:
Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.
Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.
Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.
Ooooh, just get over it. Why didn't we all think of that?
Meanwhile, Avid Life Media is not amused. "This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com. ... We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world."
In the case of the Sony hack, various embarassing details about the company—or even just interpersonal relationships between high-profile people—came to light for weeks because the North Korean hackers had released huge troves of email correspondences. The Ashley Madison data will probably lead to the same type of slow but persistent revelations. Some discoveries will attract broad interest, but most will be important on a community or individual scale. John Herrman writes on the Awl that it's "the first day of the rest of your internet. ... millions of lives may be about to change profoundly."* If nothing else, it's time for people who know they're on the list to figure out how they feel about it.
*Correction: Aug. 19, 2015, 11:52 a.m.: This post originally misspelled John Herrman’s last name.