The unfolding of Ashley Madison’s data hack

CCTV News

Ashley Madison hack could expose millions to identity theft, divorce

In July, hackers announced that they’d breached data from the affair site Ashley Madison and threatened to release the data if the website did not stop operating. On Sunday, a group of hackers who call themselves Impact Team leaked the data. The internet has been abuzz with comments and discussions about the site and hack. Here’s what we know and what we don’t.

What is Ashley Madison?

Ashley Madison is a Canadian-based online dating service that launched in 2001. It’s marketed towards people who are “married or in a committed relationship.” According to the website, they have 32 million members in 46 countries with someone new joining every 6 seconds. The website is owned by Avid Life Media, which owns other sites like Cougarlife.com and establishedmen.com. The CEO is Noel Biderman.

Who is responsible, and when did it happen?

The hack took place in July 2014. A hacker group called Impact Team has claimed responsibility for the hacks.

What does the data include?

According to Wired, the data includes seven years worth of payment transaction details, names (as they were provided), street address, email address, amount paid, what they were looking for, turn ons, at the last four digits of credit card numbers.

Where is the data?

According to techworld.com, the data was published on the dark web. It can be accessed via a BitTorrent client. The dark web, according to pcadvisor.co.uk, refers specifically to websites that are publicly visible, but hide their IP addresses of the servers that run them. Thus they can be visited by any web user, but it is very difficult to work out who is behind the sites.

Why we killed this story as a data story
The TL:DR (Too long: Didn’t read) version — the email addresses were never verified by Ashley Madison, and fake profiles were created using other people’s emails. We don’t know which are legit, and which aren’t. Inclusion does not necessarily imply implication.

At first we sniffed the data aroma of 32 million accounts that could be culled, sorted, organized, visualized. But when it became clear the data may not all be authentic, we backed away from that side of the story. People could be totally honest in creating their accounts, and they could also make everything up (as anyone who’s ever gone on a dates with people from an online dating site eventually finds out, not everyone accurately portrays themselves online). We wanted to get the facts right.

Because we can’t know for sure, any trends (like the 25 cities with the highest number of Ashley Madison accounts) are meaningless.

And the harm done could potentially outweigh the benefits of exposing would-be Ashley Madison users (and those unlucky enough to have their email address used by someone else to create an account) to the light of day: long-term shaming, public disgrace, divorce, even, as computer security expert Graham Cluley wrote, suicide.

“And now the moral crowd gathers to shame and condemn,” Emily Dreyfuss wrote in Wired. “This is the pathetic morass of our culture.”

What does Ashley Madison say about the hack?

In a press release Aug. 18 (emphasis added):

Last month we were made aware of an attack to our systems. We immediately launched a full investigation utilizing independent forensic experts and other security professionals to assist with determining the origin, nature, and scope of this attack. Our investigation is still ongoing and we are simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.

We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.

This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.

Every week sees new hacks disclosed by companies large and small, and though this may now be a new societal reality, it should not lessen our outrage. These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives. Regardless, if it is your private pictures or your personal thoughts that have slipped into public distribution, no one has the right to pilfer and reveal that information to audiences in search of the lurid, the titillating, and the embarrassing.

We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster. Anyone with information that can lead to the identification, arrest and conviction of these criminals, can contact information@avidlifemedia.com.

Is the data real?

While there’s currently no official word from Ashley Madison of the authenticity of the data dump, various confirmations of personal data are adding to the increased possibility that it is. But, again, some of the data could be fabricated by users. “I could have created an account at Ashley Madison with the address of barack.obama@whitehouse.gov,” Cluely wrote on his website. “So, but it wouldn’t have meant that Obama was a user of the site.”