Hackers claiming to have stolen data from AshleyMadison.com, a website that facilitates hook-ups between would-be adulterers, have released information they say includes details of more than 36 million user accounts.
The data dump appears to be “legit” and includes full names, e-mail addresses, partial credit-card data and dating preferences, according to Robert Graham, chief executive officer of Errata Security, a researcher in Atlanta.
“This is data that can ‘out’ serious users,” Graham said in a blog post. “I have verified multiple users of the site.”
The hackers, calling themselves the “Impact Team,” released a “read-me” file with the data that said they posted the information because AshleyMadison hadn’t been taken down, as they demanded when they said they had obtained the data last month.
“Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles,” the read-me note said. “Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.”
Avid Life Media Inc., the Toronto company that operates the site, said in a statement that it is “monitoring and investigating this situation to determine the validity” of the information and cooperating with investigations by Canadian police and the U.S. Federal Bureau of Investigation.
The company didn’t address the effect the data dump might have on a plan to sell shares this year in London. That listing was proposed after an offering in Canada was shelved due to concerns among potential investors about Avid Life’s business.
The company pledged to do what it can to scrub the data from the Internet, though that may be difficult as download links have proliferated. The information is now available via the BitTorrent file-sharing technology, which means “it’s easily accessible and won’t disappear,” said Wulf Bolte, chief technology officer at German mobile security company mediaTest digital.
A site called AshleyMadisonLeaked.com appears to have the full set of data, including keys to users’ preferences in dozens of fields such as “Bondage,” “Erotic Tickling” or “Experimenting with Sex Toys.”
The site includes e-mail and user-name search boxes that the curious can use to determine whether their information -- or that of someone they suspect of adultery -- was included in the data breach. Apparently many people did exactly that. On Wednesday morning, the “leaked” site was overwhelmed by visitors and difficult to access.
There’s more on the line than people’s relationships. The leak could result in tailor-made phishing, spam attacks or even blackmail, said Mikko Hypponen, an IT security expert with Finland’s F-Secure Oyj.
“The most concrete fear for users listed in the database is that they’re now framed as cheaters, whether they actually did it or not,” Hypponen said. “We have to remember that they are victims of a crime.”
The revelation of the data theft last month cut traffic to the site by half, though it has since partly recovered, according to researcher SimilarWeb. AshleyMadison has seen an average of 2 million visitors daily since July 21, the day after the hack was revealed, down from 2.7 million in the previous three months, SimilarWeb said.
“This hack permanently destroys the perception that AshleyMadison can maintain users’ confidentiality,” said Robert Arandjelovic, a director of Blue Coat Systems, a technology consultancy in Munich. “It’s like doing business with a bank that’s been robbed 25 times in the past year; this has a huge impact on the customer base.”