Over the weekend, Ashley Madison, the matchmaking site for cheaters, was the target of a major hack, leaking onto the web troves of data about the site and its users. Presumably this was distressing news for the site's 37 million adulterers, for whom discretion is key.
But it turns out that Ashley Madison's affairs were never all that discreet.
Security researcher Troy Hunt explained in a blog post on Monday that a lax security feature easily exposes e-mail addresses that are registered to the site.
As Hunt explains, if you head to Ashley Madison's password reset page and enter an e-mail address, you'll get a different message depending on whether that address is registered to the site.
If you go to the site and enter an email address that isn't registered with Ashley Madison, you'll see this:
If your husband or wife is registered though, and used an email address that you know, you'll see this:
Hunt points out that, unlike, most websites, in both cases Ashley Madison does not explicitly say whether an address is registered to the site. But while the messaging is the same in both cases — it does not confirm or deny the existence of an account — when an account is registered, the text box and send button are removed from the message.
Hunt figured this out by creating a test account for the site and observing the difference in response to a request for a new password with a registered address and one that did not exist.
"Here’s the lesson for anyone creating accounts on websites: always assume the presence of your account is discoverable," he wrote. "It doesn’t take a data breach, sites will frequently tell you either directly or implicitly."
Hunt suggests that if users of sites like Ashley Madison truly seek privacy, they should use an e-mail address not easily traced back to them.
That's not bad advice, but users involved in the hack are at risk of having other identifying information exposed, such as their credit card information, which does tend to have people's real names.
The Impact Team, the group of hackers claiming responsibility for hacking Ashley Madison parent company Avid Life Media claim to have stolen users' full records, including names, addresses and even their sexual fantasies alongside other company data like financial records.
“We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online,” the hackers wrote. “And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”
The hackers, who appear to have been angered by a premium feature on Ashley Madison called “Full Delete" that charged customers to scrub their existence from the site, said they planned to publish more data from the breach each day that Ashley Madison stays online.
Ashley Madison did not respond to a request for comment on the password reset function, but in a statement on Sunday to Fusion said that "the current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism."
But the internet is full of stories from men and women who uncovered their cheating spouses' in more old-fashioned ways — maybe an e-mail from the site popped up on their screen or cookies in a browser prompted an ad from the site to show up when browsing online. Even without hackers and lagging security policies, a site like Ashley Madison could never really guarantee discretion.