Security Experts:

Hackers Leak Ashley Madison User Data

The hackers who breached the online adultery website Ashley Madison last month made good on their promise to leak customer details.

The attackers, calling themselves “Impact Team,” threatened to leak registered users’ details unless Ashley Madison and its sister website Established Men were shut down permanently. Avid Life Media Inc., the owner of Ashley Madison, announced after the hackers leaked some sample data that investigations had been launched both by the company and law enforcement agencies.

Ever since the data breach came to light on July 19, numerous fake dumps claiming to contain data stolen from Ashley Madison appeared online. However, the latest data dump appears to be genuine.

“Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data,” the hackers wrote in a statement containing a link to a 10 gigabyte file distributed via torrent sites.

In a statement released on Tuesday, Avid Life Media said it was trying to determine if the leaked data comes from its systems. However, several experts seem confident that the information published this time is legitimate.

According to experts who analyzed the leaked files, they contain the details of more than 30 million users. The information includes names, addresses, phone numbers, email addresses, dates of birth, users’ interests and their physical description, password hashes, and credit card transactions from the past 7 years.

The credit card transactions include names, addresses, email addresses, amounts paid and partial payment card numbers. According to Christopher Davis, Citizen Lab advisor and founder of infosec startup Hyas, these transactions show that Ashley Madison made more than $600 million.

Robert Graham, CEO of Errata Security, has also analyzed the leaked data and determined that Ashley Madison used bcrypt to hash users’ passwords.

“Almost all the records appear to be protected with bcrypt. This is a refreshing change. Most of the time when we see big sites hacked, the passwords are protected either poorly (with MD5) or not at all (in ‘clear text’, so that they can be immediately used to hack people). Hackers will be able to ‘crack’ many of these passwords when users chose weak ones, but users who chose strong passwords are safe,” Graham said.

The leaked data appears to include the details of 33 million accounts and 36 million email addresses. However, Australian security expert Troy Hunt, who runs the Have I Been Pwned service, says there are 30,636,380 unique email addresses.

“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of, as well as any freethinking people who choose to engage in fully lawful online activities,” Avid Life Media wrote in its statement. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.”

While the leaked data appears to originate from Ashley Madison’s systems, experts have highlighted that many of the profiles on the website are likely fake, especially since the company didn’t verify the email addresses provided by users during the account registration process.

“Leading up to this breach, Ashley Madison prided itself on airtight data security, a claim that seemed to have in part provoked the attackers to exploit the organization's weakest point—insider security,” Mohan Koo, CEO and co-founder of Dtex Systems, told SecurityWeek. “The source of this breach is largely believed to have been a third-party contractor with privileged access to the company's systems. This is an organization whose entire business model depends on trust, anonymity and discretion. To use anything less than the most state-of-the-art insider threat detection capabilities is to flirt with disaster, and with its user base now exposed to the world, it's hard to imagine the company will be able to survive much longer.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.