The hacked information of millions of Ashley Madison customers appears to have been released online by hackers, almost a month after the initial breach.
A large cache of data has been posted on the Deep Web, that is said to include the names, addresses, credit card data and phone numbers of Ashley Madison’s 32m users.
The data, which totals 9.7GB, was released alongside a message with the heading “Time’s Up”.
The message from the hackers says: “Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, desist and stupidity of ALM and their members. Now everyone gets to see their data.”
The data is said to include seven years of credit card and other payment transaction details.
According to Ars Technica, the dump contains files with titles including “aminno_member_dump.gz,” “aminno_member_email.dump.gz,” “CreditCardTransactions7z,” and “member_details.dump.gz,”, which indicates that the download “could contain highly personal details.”
The data has also been said to include almost 15,000 email addresses from .mil. or .gov addresses.
As many have pointed out, it is possible to create an account using the details and email addresses of another person, meaning some of the alleged users are likely fake.
Last month, hackers calling themselves The Impact Team revealed they had broken into the network of Ashley Madison’s parent company, Avid Life Media, and stolen a huge amount of sensitive data from the Canadian company.
This included the private user information of 37m users, along with sensitive financial records and data from Avid Life Media.
The group released a small amount of user data, which Avid Life Media took down, and said they would release more information every day until the sites were shut down.
The hackers threatened to release “all customer records, profiles with all the customers’ secret sexual fantasies and nude pictures”, along with “conversations and matching credit card transactions, real names and addresses and employee documents and emails.”
And since then, we’ve heard very little from the hackers, until today.
After the dump was reported, there were some initial reservations from trusted sources that maybe the data wasn’t real.
Brian Krebs, the security researcher who discovered the initial hack, said he had spoken to Raja Bhatia, Ashley Madison’s original founding CTO, who said his team had been regularly removing “30 to 80” fake dumps every day, that claimed to be the Ashley Madison data.
However since the article questioning the legitimacy of today’s dump, Krebs has reversed his position, saying: “I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.”
I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.
– briankrebs (@briankrebs) August 19, 2015
Krebs said he had spoken with three vouched sources who “all have reported finding their information and last four digits of their credit card numbers in the leaked database.”
In the full statement with the dump, the hackers said: “Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
And in a statement released yesterday, Ashley Madison said the breach was “not an act of hacktivism” but an act of criminality.
With regards to today’s information dump, Ashley Madison said: “We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort.
“Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.”
The Canadian company said it was currently working with law enforcement agencies including the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.
We will update the story as it develops.
Read the full Ashley Madison statement below:
Last month we were made aware of an attack to our systems. We immediately launched a full investigation utilizing independent forensic experts and other security professionals to assist with determining the origin, nature, and scope of this attack. Our investigation is still ongoing and we are simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.
We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.
This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.
Every week sees new hacks disclosed by companies large and small, and though this may now be a new societal reality, it should not lessen our outrage. These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives. Regardless, if it is your private pictures or your personal thoughts that have slipped into public distribution, no one has the right to pilfer and reveal that information to audiences in search of the lurid, the titillating, and the embarrassing.
We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster. Anyone with information that can lead to the identification, arrest and conviction of these criminals, can contact firstname.lastname@example.org.