Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

Hackers Leak Ashley Madison User Data

The hackers who breached the online adultery website Ashley Madison last month made good on their promise to leak customer details.

The hackers who breached the online adultery website Ashley Madison last month made good on their promise to leak customer details.

The attackers, calling themselves “Impact Team,” threatened to leak registered users’ details unless Ashley Madison and its sister website Established Men were shut down permanently. Avid Life Media Inc., the owner of Ashley Madison, announced after the hackers leaked some sample data that investigations had been launched both by the company and law enforcement agencies.

Ever since the data breach came to light on July 19, numerous fake dumps claiming to contain data stolen from Ashley Madison appeared online. However, the latest data dump appears to be genuine.

“Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data,” the hackers wrote in a statement containing a link to a 10 gigabyte file distributed via torrent sites.

In a statement released on Tuesday, Avid Life Media said it was trying to determine if the leaked data comes from its systems. However, several experts seem confident that the information published this time is legitimate.

According to experts who analyzed the leaked files, they contain the details of more than 30 million users. The information includes names, addresses, phone numbers, email addresses, dates of birth, users’ interests and their physical description, password hashes, and credit card transactions from the past 7 years.

The credit card transactions include names, addresses, email addresses, amounts paid and partial payment card numbers. According to Christopher Davis, Citizen Lab advisor and founder of infosec startup Hyas, these transactions show that Ashley Madison made more than $600 million.

Advertisement. Scroll to continue reading.

Robert Graham, CEO of Errata Security, has also analyzed the leaked data and determined that Ashley Madison used bcrypt to hash users’ passwords.

“Almost all the records appear to be protected with bcrypt. This is a refreshing change. Most of the time when we see big sites hacked, the passwords are protected either poorly (with MD5) or not at all (in ‘clear text’, so that they can be immediately used to hack people). Hackers will be able to ‘crack’ many of these passwords when users chose weak ones, but users who chose strong passwords are safe,” Graham said.

The leaked data appears to include the details of 33 million accounts and 36 million email addresses. However, Australian security expert Troy Hunt, who runs the Have I Been Pwned service, says there are 30,636,380 unique email addresses.

“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of, as well as any freethinking people who choose to engage in fully lawful online activities,” Avid Life Media wrote in its statement. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.”

While the leaked data appears to originate from Ashley Madison’s systems, experts have highlighted that many of the profiles on the website are likely fake, especially since the company didn’t verify the email addresses provided by users during the account registration process.

“Leading up to this breach, Ashley Madison prided itself on airtight data security, a claim that seemed to have in part provoked the attackers to exploit the organization’s weakest point—insider security,” Mohan Koo, CEO and co-founder of Dtex Systems, told SecurityWeek. “The source of this breach is largely believed to have been a third-party contractor with privileged access to the company’s systems. This is an organization whose entire business model depends on trust, anonymity and discretion. To use anything less than the most state-of-the-art insider threat detection capabilities is to flirt with disaster, and with its user base now exposed to the world, it’s hard to imagine the company will be able to survive much longer.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...


Spanish and US authorities have dismantled a cybercrime ring that defrauded victims of more than $5.3 million.

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...