The group behind the hack of adultery website Ashley Madison appears to have made good on its threat, leaking the site's user database online—and potentially exposing those users to threats of blackmail.
Last month, a group of hackers known as The Impact Team claimed to be behind an attack on Ashley Madison—whose tagline is "Life is short. Have an affair,"—and associated sites Cougar Life and Established Men, stealing information on more than 37 million users. They threatened to release details if site owner Avid Life Media did not shut down Ashley Madison and Established Men. Avid Life Media did not comply.
Now, nearly 10 gigabytes of data, including member account details, logins and payment details, have been posted to the dark Web, according to a report in Wired. Avid Life Media said Tuesday it was investigating the validity of the claim. "Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business," the company said in a statement.
Security blog Krebs on Security reported it had confirmed the data dump as legit, via three sources who found their information among the data. Wrote Krebs, "I'm sure there are millions of Ashley Madison users who wish it weren't so, but there is every indication this dump is the real deal."
This leak could be more damaging than many data breaches. "You could really ruin someone's life," Chase Cunningham, threat intelligence chief at cloud-computing company FireHost, told CNBC when the hack was revealed last month.
"Without question, this is incredibly valuable information," J.J. Thompson, founder and chief executive of Rook Security, an IT security firm, told CNBC earlier this year. "[Site users] are now vulnerable to a significant secret." Even if the information is taken down quickly, it could easily be used as leverage not just for financial gain, but to influence decisions by any of those victims in positions of power, he said.
Average consumers have marginally less to worry about. "Unless you're a really high-profile individual … it's pretty unlikely that anyone is going to come and take the time and blackmail you because you used the site," said Geoff Webb, vice president of solution strategy for security management firm NetIQ, earlier this year. "For an individual user, it's embarrassment more than anything."
It is worth noting that Ashley Madison's sign-up process does not require email verification, so legitimate email addresses belonging to nonusers may have been used by members of the site. It's also not clear how many of the users actually sought out extramarital affairs through the site.
Still, there is a risk that people might search the information dumps to see if they have friends, co-workers or spouses among the site users and spot a familiar email address. "That would still be a very awkward conversation to have," said Webb. Use of the site could also come back to hurt consumers in say, divorce or custody proceedings, said Thompson. "Everything is leverageable by the right person who is looking for the right thing," he said.
Even consumers who aren't hunting for affairs online can take a few lessons from this breach, experts say. Notably, "stuff that's online is pretty much not private, no matter what you might hope or think or wish for," said Webb. Old records, like transactions and account details, remain in company databases long after you've deleted an account, he said, because the company needs them for tax and other business purposes.
"There used to be an old saying that everybody ends up naked on the Internet at some point," said Webb. Although that was meant figuratively, consumers should realize that any online activity has the potential to become public.
Consumers also tend to be focused on the financial repercussions, to the extent that in a recent MasterCard survey, 55 percent of people said they would rather have nude pictures of them leaked online than have their financial information stolen. Pilfered data can be used in myriad ways, however—a health insurance hack might publicize health conditions or a stint in rehab, for example, while bank breaches could disclose how much credit card debt you have.
"A lot of people are numb to the data breach stuff that's happening, because it's so regular," said Cunningham. "But they're not thinking about the implications of the data that's being taken."