So you've found out your e-mail address was one of the millions included in the massive hack of Ashley Madison, a dating website that caters to cheaters. Anyone that knows your e-mail can easily search to find out that address is linked to an account on the site. And your address, e-mail address and credit card information is probably floating around out there too, for anyone with a little bit of web savvy to download and see.
We know, we know. You're freaking out. I interviewed dozens of Ashley Madison users outed by the leak, and for most of them, the biggest question was what to do next. So here's some advice:
Don't flip out.
I talked with a handful of users concerned because they had never signed up for an account and that totally makes sense. A major criticism of Ashley Madison has been that it didn't verify the e-mail addresses of its users.
As security researcher Graham Cluley explained on his blog: "I could have created an account at Ashley Madison with the address of barack.obama@whitehouse.gov, but it wouldn't have meant that Obama was a user of the site…. credentials stored by Ashley Madison must be considered suspect because of their shonky practices."
And yes, there are White House email addresses to be found in the leak, but not every leaked email belongs to someone who actually used the site.
As for folks fearing their credit card information has been exposed, Ashley Madison parent company Avid Life Media has said only the last four digits of users' credit cards were stored. The last 4 digits of your credit card can be useful information for identity thieves trying to break into an account—it's often a credential check when you call a customer service line for example—but it means it's unlikely anyone is going to be able to start spending your money.
"Here it seems that the hackers were not looking to commit identity fraud, but instead seeking to deeply embarrass users and threaten the existence of the site," Lisa Sotto, a managing partner of the New York office of in the law firm Hunton & Williams who specializes in cyberattacks told me.
Still, Sotto said those whose e-mail addresses showed up in the leak would be wise to monitor their credit card statements closely over the next few months for suspicious charges.
Don't fall for people claiming they can erase your data from the leak
People I've talked to who were impacted by the leak said they were desperate for a way to make sure no one ever finds out they signed up for the site. There are already tons of people out there trying to take advantage of that.
One anonymous Craigslister in New York claimed that they could help remove personal information from the leak.
Unfortunately, there's no such magic potion.
"At this point it is better to focus on damage control – consider the impact of your Ashley Madison membership being known by everyone and what actions you might take in order to minimise the impact (i.e. discussing with a spouse)," security researcher Troy Hunt wrote in a Q&A post about the leak.
Sotto said that users in the European Union may be able to take advantage of Europe's "right to be forgotten" laws. But even that can only erase data from websites in certain countries.
"The information is now ubiqitious over the internet," Sotto said.
If someone tries to blackmail you, call the police.
Reports have begun streaming in of blackmailers trawling the leaked information and e-mailing people in it, threatening to expose them.
The Bitcoin news outlet CoinDesk received an e-mail from a reader with an Ashley Madison account who received this message from a would-be blackmailer:
“Unfortunately your data was leaked in the recent hacking of Ashley Madison and I now have your information. If you would like to prevent me from finding and sharing this information with your significant other send exactly 2.00000054 bitcoins (approx. Value $450 USD) to the following address…”
If you get a message like this, call the police.
Figure out your legal rights.
The hacker group claiming responsibility for the leak, "Impact Team," had this advice for victims of the attack.
"It was ALM that failed you and lied to you. Prosecute them and claim damages," the hackers wrote. "Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it."
There's some truth in their statement – CEO Noel Biderman frequently boasted about how secure his site was but Ashley Madison had some flawed security practices, like holding on to credit card transaction data for way too long. And though Ashley Madison still claims that the thousands of users who paid Ashley Madison to scrub their information were fully deleted, it appears their information was retained in credit card records, which could make Ashley Madison vulnerable to false claims lawsuits. (Ashley Madison's privacy policy hasn't even been updated since 2011!)
Sotto said it's likely Ashley Madison will face lawsuits for breach of contract and negligence. She also expects the Federal Trade Commission will pursue action against the company for violations of section five of the Federal Trade Commission Act, preventing unfair or deceptive practices.
Already some law firms are putting together class action suits. So, for those willing to risk even more public exposure, there may be legal recourse for any damages you sustained in the fallout of the leak.
Fess up.
Like Troy Hunt wrote, "the exposure is irretrievable." Currently sites like this one or this one allow people to easily search an e-mail address and see if it's connected to the site. It's likely that in the coming weeks, sites will pop up that allow searches of even broader information.
Once something like this is out in the open, it's hard to keep under wraps for very long.
"What we tell companies that suffer breaches is they need to be forthright and stay ahead of the story," said Sotto. "The same advice is applicable here: you need to be forthright, get in front of the story and frame the issue."