The personal data of more than 37 million people was posted online Tuesday after hackers attacked AshleyMadison.com, an online dating service for married individuals to cheat on their partners, security experts confirmed to BuzzFeed News.
The hackers (or hacker), calling themselves The Impact Team, promised to release the "secret sexual fantasies and matching credit card transactions, real names and addresses," in a threat that now seems to have been fulfilled. Security experts who reviewed the data said "there was every indication that the data is real," and urged anyone who has used a credit card on the site to immediately contact their bank.
Troy Hunt, a security researcher who operates the website Have I Been Pwned?, which allows people to check if their email addresses are being hawked, told BuzzFeed News he was updating his site with the emails of those breached in the Ashley Madison leak.
"We have multiple indicators that this is legitimate. There are things here that are just too hard to fabricate," said Hunt. "We haven't seen yet what the attack vector was used to hack the Ashley Madison site. It will be very telling if there was a low-hanging vulnerability, and that the site exposed all its millions of users by not securing something straightforward."
Brian Krebs, who runs the well-known blog Krebs on Security, wrote that he had received independent confirmation of the authenticity of the breach.
In either case, the breach could be a watershed moment for those advocating for greater internet privacy, added Hunt.
"Certainly for those involved it will be a watershed moment. Perhaps at the very least it will start some discussion about the expectation of privacy online, and using real identities on these types of services," said Hunt.
Among the millions of email addresses posted online are many accounts linked to .gov and .mil domain names, reserved for people who serve in the government and military, respectively. Many company email addresses were also used, ranging from defense contractors to Silicon Valley startups. Ashley Madison, however, did not require email accounts to be verified and there is no way to check if the addresses entered on the site were done so by their actual users.
Ashley Madison's parent company, Avid Life Media, released a statement which is available in full below.
Last month we were made aware of an attack to our systems. We immediately launched a full investigation utilizing independent forensic experts and other security professionals to assist with determining the origin, nature, and scope of this attack. Our investigation is still ongoing and we are simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services, and the U.S. Federal Bureau of Investigation. We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business. This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law. Every week sees new hacks disclosed by companies large and small, and though this may now be a new societal reality, it should not lessen our outrage. These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives. Regardless, if it is your private pictures or your personal thoughts that have slipped into public distribution, no one has the right to pilfer and reveal that information to audiences in search of the lurid, the titillating, and the embarrassing. We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster. Anyone with information that can lead to the identification, arrest, and conviction of these criminals, can contact email@example.com.
Brendan Klinkenberg is a tech reporter for BuzzFeed News and is based in San Francisco.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F