This morning, Troy Hunt published what is the saddest, most emotionally conflicting, and most interesting page on the internet right now. Hunt, a security researcher and proprietor of Have I Been Pwned, a site that allows people to check and see if their data has been compromised in major data breaches, got to the Ashley Madison information dump early last Wednesday and quickly made the data searchable for verified HIBP subscribers (unlike other sites, HIBP does not make the Ashley Madison information accessible to the non-verified general public). In the following days, Hunt’s inbox has been inundated with hundreds of emails — emails that are variously personal, frantic, confused, and contrite — from Ashley Madison users and their spouses looking for guidance in the aftermath of the hack. Hunt replied to some and decided, after redacting certain personal information, to publish snippets of the most compelling correspondence. The result is one of the rawest and broadest portrayals of the devastation wrought by an unprecedented breach.
We’re still far from understanding the scope of the leak. There are some basic, now well-known figures, of course, and they’re staggering — more than 30 million people were reportedly caught up in the breach. Then there are other darker and more morbid numbers: class-action lawsuits, divorces, and, as the BBC reported this morning, suicides resulting from exposed information. But these are only the most obvious and most quantifiable layer of an increasingly intricate story. For every exposed user there are innumerable potential connections — and, thus, victims by way of collateral damage, people whose lives have been irrevocably changed without warning or consent. It’s impossible to tally the emotional fallout that results from curious co-workers, friends, potential lovers, and acquaintances who happen to search the databases, but Hunt’s email collection serves as the best record to date of the havoc, panic, and complexity of the event.
“The biggest theme from these emails that surprised me is how desperate these people are that they'd disclose such deeply personal details to a complete stranger in the hope I might be able help them even just one little bit,” Hunt told BuzzFeed News. Hunt says that most appear to have contacted him out of “a sense of fear and feeling helpless.” While some of the emails are expectedly guilty or disgruntled missives, others are extraordinary; in one, a spouse confides that she was contacted by her husband’s church after church officials rifled through the database for congregation members’ emails.
So got a call, from our church leaders yesterday, saying my husband's work email was on [redacted], oh my!
Even the expected and more mundane emails are raw and affecting. “Tell your wife and kids you love them tonight. I shall do the same as I really don't know if I will have many more chances to do so,” one Ashley Madison account holder emailed Hunt. In some cases, they reveal unexpected perils from the exposed information, like one user who mentions how his wife was unknowingly a part of his online indiscretions. “What would be impossible to explain away — and what I would most feel guilty about — is the very detailed personal intimate information about my wife shared with strangers during my 'erotic' chats,” he wrote.
Taken together, the emails showcase the varying degree of guilt, culpability, and, perhaps most interestingly, the confusion surrounding the leak. A number of people wrote to Hunt alleging that their name was wrongly included, or that the account is from years ago, during another part of their lives; others were registered for work-related research purposes; others to check a former spouse they assumed was cheating. According to Hunt, many of correspondents wrote in simply confounded by it all. “It reminded me of when you have elderly parents or somebody who looks at a PC and is totally lost. This hack and the response is like that,” Hunt said, noting that many were mystified by the dark web, Tor, and where exactly their information had leaked. A number of the confused emailed Hunt asking him if he could delete their presence from the internet. “There are a lot saying, ‘Name a price and we'll pay it, if you can scrub me off the internet.’ I am thinking, this is not how the internet works and you should probably be spending your money with a marriage counselor,” he said.
Despite the torrent of frantic emails pouring into his inbox, Hunt doesn’t see this as a watershed moment for casual — mainstream — internet dwellers and personal information security, suggesting instead that the passage of time is the only way most humans will think critically about their internet footprint. And while Hunt only sees the frequency of these kinds of attacks increasing, he told BuzzFeed News that the sophistication of the Ashley Madison hack renders it almost impossible for average, non–security industry users to demand better data protections from online companies — mostly because the flaws are difficult, if not impossible, for even the savviest to spot.
“Most consumers just don’t have this kind of technical savvy to push for organization. Just in this hack you see that Ashley Madison stored its passwords extremely well. I’ve never seen an organization breached that had this sort of password storage,” Hunt said. “Seriously, Ashley Madison did a perfect job with password storage, except that didn't matter. Somebody made a big mistake someplace and the whole thing went down. How could any average user have made a good judgment call when there's nuances like this? It’s hard for even security types to make these judgements.”
At the time of the interview, almost a week from the initial data dump, Hunt was still watching emails come in and noted that being on the receiving end of these confessions and pleas has taken at least a slight emotional toll. “Sorting through these messages you realize just how unfathomably bad this is and will be for so many people,” Hunt said. And as much as Hunt has tried to keep his distance from individual users — he has tried only to respond to requests that concern HIBP or to verify certain claims — Hunt’s inbox has helped him come to a deep level of understanding for the scope, magnitude, and sensitivity of the hack. Throughout the past week, Hunt has learned what often only victims of these types of incidents learn: that the high-profile exposure of deeply private information casts an unfathomably wide net of trauma.
“This is so different from almost any hacks before it — even the Sony hack, where so many were unable to feel sympathy for those involved," Hunt said. "This is just so damaging to so many and that's why I wanted to get their personal stories out there. We need to realize that regardless of what they did and didn’t do — and believe me, there’s so many varying degrees of involvement — this hack is clearly destroying all kinds of lives.”
Perhaps what Hunt’s email collection best illustrates is the specifically calamitous nature of the Ashley Madison hacking data. Hacks are, by nature, often intensely personal, but rarely is the information they expose so maddeningly cryptic. As Hunt’s emails show, for most, that the data is a vague almost-confirmation of one’s worst suspicions, but rarely much more than that. Without honest and painful conversations, few of these cases will be straightforward and will only spawn more painful hypotheticals, questions, and distrust. As the emails indicate, the true and baffling tragedy of this hack — and the most terrifying prospect for the future breaches of sites containing deeply private information — may just be that the presence of one’s personal data is, by itself, inconclusive of wrongdoing and yet still potentially life-ruining.