“I’m sure there are millions of Ashley Madison users who wish it weren’t so, but there is every indication this dump is the real deal.” Brian Krebs
Living up to their threats from last month, it now appears the Impact Team, the hacking group behind the intrusion of infamous infidelity website Ashley Madison (AM), has leaked the full database of the site's users online. The data dump weighs in at an impressive 9.7 gigabytes of compressed data that includes account details for approximately 32 million users, seven years of credit card data, contact details, email addresses and, in some cases, detailed sexual preferences and desires.
Wired first reported the leak late Tuesday, and the torrent of stories from media sites around the world has continued unabated. You might say that certain outlets, including those pointing to the 15,000 reported .gov or .mil email addresses included in the data dump, are downright gleeful.
Attorney Carrie Goldberg put it this way, and I couldn’t agree more:
[quote]Many celebrate this hack, gleeful that cheaters are getting their comeuppance. I suggest we stay out of other people’s bedrooms, even when the lurid details of those bedrooms are on a platter for us on the Internet. Those reveling in the hack, calling it a karmic triumph, should self-examine. Not just their own relationship and trust issues, but do they really condone the idea that the right to privacy should be on a continuum based on a person’s moral turpitude?[/quote]
Initially, there was some question as to the data's validity. Security reporter Brian Krebs discussed the latest leak with the founding chief technology officer of AM, Raja Bhatia. Bhatia said, “The overwhelming amount of data released in the last three weeks is fake data.” However, in an update to his blog, Krebs spoke with “three vouched sources who all have reported finding their information and last four digits of their credit card number in the leaked database.”
ErrataSecurity’s Robert Graham has been parsing through the information, which he says “appears legit.” He says users mostly appeared to be men—28 million versus 5 million women—but noted, “glancing through the credit-card transactions, I find only male names.” He confirms the data includes full account information and approximately 250,000 deleted accounts and partial credit card data with “full names and addresses … This is data that can ‘out’ serious users of the site.” Notably, the account holders' passwords are hashed with bcrypt, something Graham calls “a refreshing change.” He continues, “Most of the time when we see big sites hacked, the passwords are protected either poorly (with MD5) or not at all (in ‘clear text,’ so that they can be immediately used to hack people)."
And then there are those 15,000 .gov and .mil addresses. As Steve Ragan points out, “If the data in the leaked files is valid, then Impact Team has created a blackmail archive that could land scores of people in hot water.” Dan Goodin of Ars Technica reports that leaked data also includes PayPal accounts used by AM executives, employee domain credentials and other proprietary internal documents.
Clearly, this is valuable PII that has found its way into the public domain.
What else is clear? Well, that it's not clear at all how valid or "real" this data is. For example, AM does not require users to validate their email addresses. One Twitter user going by @zerohedge pointed out that former UK Prime Minister Tony Blair’s email address is on there. Now, let’s be honest, there’s no way someone of his stature would have signed up for such a site using that email address. Much of the data, we must conclude, is not accurate.
Plus, as Kashmir Hill points out, journalists and others curious to see what went on in the site may have signed up as well.
Avid Life Media, the company that owns AM and other similar sites like Established Men, issued a statement:
[quote]The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.[/quote]
As a relatively quick response, there’s some serious takeaways to consider here. First, AM has exercised terrible data retention practices. Why would AM—or any company for that matter!—keep credit card transactions going back almost eight years? The data also includes 250,000 “deleted” accounts. Clearly, those weren’t deleted, but should have been.
Second, and separate from their data retention policies, it appears AM did employ decent hashing of passwords by using bcrypt. But that security measure, though a good one, doesn’t mean a whole lot to those who’ve had their sensitive data hacked. There’s no silver-bullet solution to strong security and privacy. It’s a multi-pronged effort combining good encryption, adroit data retention and deletion processes, two-factor authentication and plenty of other tactics.
Third, and this applies mostly to reporters and bloggers, these kinds of juicy data leaks—like the “Celebgate” hacks from last summer—provide the Internet with gossipy, paparazzi-style “reports.” Trying to figure out (and humiliate) who was on AM only supplies such hackers with leverage to do the same to other organizations in the future. I’m not saying these events shouldn’t be reported on, but I hope those looking into this are careful with what details from this leak they report on and link to.
We’re living in an era when massive amounts of personal data—think OPM, Sony, Anthem—are being hacked, leaked and exposed. Revenge porn, trolling and swatting happen on a daily basis. As Goldberg rightly points out, “The Internet has created a marketplace where there is a value to other people’s humiliation.” She continues, "This mob revelry – and even sexual gratification – for “humiliporn” drives millions to dedicated revenge porn sites, motivates people to retweet sexual assaults, and is why so many couldn’t resist clicking on those pictures of Jennifer Lawrence ... As long as we condone privacy invasions based on the personal values of those entertained by it, we are promoting a real lawlessness."
To many, the ethos of AM is not a good one, but there’s a bigger picture to consider here. Possessing and sharing personal information is a powerful thing. Do we want a digital community that celebrates the humiliation of each other? Do we want to buy into the bad behavior of the Impact Team so they and others like them can do so again down the road? I hardly think so.