Last month, a hacking group going by the name "Impact Team" claimed that it had hacked Ashley Madison, the infidelity dating site, and published some business records online as proof. Those records quickly vanished, but Impact Team said it had a lot more, and threatened to release information about Ashley Madison's 37 million members unless the site was taken down, along with its brother site Established Men.
Now, a month later, it looks like Impact Team has made good on its claim. Today, a "Time's Up" message appeared on a website only accessible via the Tor browser. The site included a link to a torrent for lots and lots of files that appear to include customer information for Ashley Madison users, particularly records of credit card payments that include people's names, hometowns, and the last 4 digits of their credit cards. (Too bad Ashley Madison doesn't take Bitcoin.) Security researchers who have started reviewing the leak say it contains credit card payments dating back seven years.
We have attempted to verify that the people that appear in the records are actually Ashley Madison customers, reaching out to a dozen of them by phone, email and Facebook. Unsurprisingly, the people we've reached have not been eager to chat. After reviewing a file with Ashley Madison accounts that included names, sexual preferences, addresses and phone numbers, we called every number. Only one number worked, and it was for a woman who turned out to be the wife of Ashley Madison's original founder, Darren Morgenstern, who sold the company to Avid Life Media years ago. Morgenstern said the spreadsheet dated back to the company's early days and was essentially a list of dummy accounts that employees had used for "quality control and market research" on the site.
In an interview with security blogger Brian Krebs, Ashley Madison's CTO implied the data dump was fake. But Krebs says he has talked with "three vouched sources who all have reported finding their information and last four numbers of their credit card number in the leaked database." A Gawker reporter who created an account there years ago tweets that he found his information in the leak.
That means that at least some of the people included in the data dump are legitimate customers. Rob Graham of Errata Security said he had found what looks to be more than 36 million accounts; among those accounts, he said, were people who told him that they were Ashley Madison users, including one who confirmed that a throwaway email address he only ever used for that site was found among the leaked addresses.
"It's about 28 million men to 5 million women in the account list, but essentially all men for credit card transactions," said Graham.
So, privacy-conscious Ashley Madison users, it is time to start officially freaking out. At this point, it is still hard to get the actual names from the leak; they are in raw data form and accessible only via torrenting. Most security researchers reviewing the leak are just trying to figure out how to get the files into readable, parsable form.
Security experts say the passwords appear to be properly encrypted such that they are unlikely to be easily cracked. But when it comes to a site like Ashley Madison, it's not the password most users are worried about, it's the mere fact of being outed as a member.
"If the data becomes as public and available as seems likely right now, we’re talking about tens of millions of people who will be publicly confronted with choices they thought they made in private," writes John Herrman in the Awl. "The result won’t just be getting caught, it will be getting caught in an incredibly visible way that could conceivably follow victims around the internet for years."
Of course, there are excuses for being on Ashley Madison that don't involve adultery. You could say you were a reporter looking for a story. You could say you were just curious about what goes on on a site like that. You could say that you didn't create an account there, that someone else did it to sabotage you. And because the site doesn't confirm emails, you could be telling the truth. Or you could say you signed up, but never actually consummated the plan to cheat — the infidelity equivalent of "I didn't inhale."
Ashley Madison parent company Avid Life Media issued an incensed statement after the data dump, that stopped short of confirming its authenticity:
The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.
Once again, we have no idea who the hackers are here, though Avid Life Media said in the statement Tuesday that theirs is on the FBI's long list of hacking investigations. Still, as Herrman writes, "this feels like a momentous event. Here were tens of millions of people expecting the highest level of privacy that the commercial web could offer as they conducted business they likely wanted to keep between two people."
With each big hack — Sony Pictures, the iCloud celebrity photo "Fappening", the Hacking Team, the Office of Personnel Management — I keep thinking it is going to be the momentous event that makes us rethink privacy in the digital age and the meaning of having our workplace gossip/nude photos/quasi-illegal business dealings/high-level background checks/infidelities spill out into the open. But, at the end of the day, what can you do? You just keep living, knowing that it's impossible, in this day and age, not to create potentially incriminating data trails. And you hope the place where your most embarrassing data trail lives doesn't become the target of hackers.