Very Personal Information For Over 30 Million Ashley Madison Users Set Loose On Internet In Wake Of Hack

ashleymadison-580x370Ashley Madison, the website for cheating cheaters who specifically want to go have an affair, was hacked in July. A day later, the company said that it was working to secure its users’ data and all personally identifiable data had been taken down. But perhaps the company is taking after the worst habits of its member base, because that too turns out to be a pack of dirty lies: the full data for over 30 million Ashley Madison accounts is now out there in the wild.

The good news, such as it is: the 33 million passwords that are part of the data dump are hashed (encrypted) and probably won’t be cracked. That, however, is a very, very small silver lining in a giant, ominous stormcloud of doom. The rest of the leaked data includes 36 million e-mail addresses (including, Ars Technica points out, 15,000 from .gov or .mil domains) and 33 million usernames and first and last names.

It gets worse for the 33 million users who now have their names and user IDs out there: the rest of their profile information went along with. That includes likes, dislikes, partnership status, sexual preferences, date of birth, and more. Physical addresses and phone numbers are also attached, along with the last four digits of millions of users’ credit card numbers.

But wait! There’s more! You also get the full records of the last seven years worth of credit card transactions that the site had, to the tune of 9.6 million records. A researcher also says he has found valid, active credit card numbers in the data.

In sum, this leak is very, very bad for all of Ashley Madison’s users. The internet now has a hold of their private secrets combined with their public identities, and the internet being the internet, is unlikely to be kind.

And yet, the breach may be even worse for the business: the data dump, researchers have found, doesn’t just include user data. It also includes an overwhelming amount of Ashley Madison’s internal data. There’s financial and security info in the leak, including information for PayPal accounts company executives use and Windows domain credentials for employees. And there are also a huge number of internal documents in the data stash, including communications, org charts, contracts, and more.

Ashley Madison’s former CTO, who has been working as a consultant with the company since the discovery of the breach in July, told security expert Brian Krebs that “The overwhelming amount of data released in the last three weeks is fake data.”

Alas, that does not appear to be true for this massive, final dump. Not only does the volume of internal company data released along with the user profiles indicate that the information is genuine, but also multiple site users confirmed to Krebs that they had identified their own personal info in the leak.

The most recent statement from Avid Life Media, Ashley Madison’s parent company, condemns the hackers for appointing themselves “as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society,” and adds a plea for anyone with information that can ID the hackers and lead to prosecution to come forward.

Ashley Madison hack is not only real, it’s worse than we thought [Ars Technica]