Last month, hackers broke into AshleyMadison.com, a dating site for adulterers, and said that if the site wasn't shut down immediately and permanently, they'd release the names and information of everyone using the service. They may have just fulfilled that promise.
On Tuesday, an enormous data dump surfaced on the Dark Web that claims to be set up by a hacking organization called the Impact Team. That page, as seen below, has a 9.7 GB torrent file full of names, email addresses and credit card information supposedly from years of Ashley Madison's user history.
Established Men is a site that sets up "sugar daddy" relationships, and Avid Lift Media refers to the parent company for both Ashley Madison and Established Men.
Whether or not this is really the stolen Ashley Madison database is yet to be determined. Amateur hackers, for whom media attention is an end in itself, have put together false databases in the past before from publicly available info — or just prior leaks — and claim that it's fresh information.
Through the night, journalists, security firms and cybersecurity analysts are scrambling to determine if this is really the work of the Impact Team, with some early confirmations rolling in from Per Thorsheim, a cybersecurity researcher and analyst who specializes in password protection.
Even if it is the right data, the information itself could be misleading. Ashley Madison doesn't require you to verify your email address, so you could sign up for the site and use its services with a fake or someone else's information.
The most valuable data, should the dump prove to be legitimate, will be the verifiable credit cards. The database allegedly includes millions of credit card transactions dating all the way back to 2007. Those will be much more difficult for exposed cheaters to explain.
But worst of all, the dump appears to contain passwords for those accounts as well. Wired explains how they may have been released.
Passwords released in the data dump appear to have been hashed using the bcrypt algorithm for PHP, but Robert Graham, CEO of Erratasec, says that despite this being one of the most secure ways to store passwords, "hackers are still likely to be able to 'crack' many of these hashes in order to discover the account holder's original password." If the accounts are still online, this means hackers will be able to grab any private correspondence associated with the account.
On the imageboard 8chan, which was temporarily hidden from Google results due to suspected child abuse, users formed a collection of Ashley Madison email addresses and published them on the site Pastebin. Many of the emails are linked to real people on LinkedIn, but the list contains lots of fake addresses too, such as firstname.lastname@example.org.
Anonymous internet posters have already discovered the email address of at least one public figure. In subsequent posts, they identify this person's partner. This person has been confronted on Twitter; I would not be surprised if the partner is currently getting alarming emails from strangers. This happened almost instantly after the leak.
On the Reddit forum AMUpdates, some people claiming to be Ashley Madison users are scanning the Dark Web files and posting what they find. One excerpt:
74ABAA38.txt This file contains the GPG public key that can be used to check that all the files were created by the author and not modified by some third party. They are all legit in this case.
CreditCardTransactions.7z This archive contains all the credit card transactions from the past 7 years ! (The first csv file dates back to March 2008). All those csv files contains the names, street address, amount paid and email address of everyone who paid something on AshleyMadison. Those ~2600 files represent more than 9.600.000 transactions !
am_am.dump Here comes the interesting part. This file contains 32 million user data: first/last names, street address, phone numbers, relationship status, what they are looking for, if they drink, smoke, their security question, date of birth, nickname, etc...
ashleymadisondump.7z This archive mostly contains administrative documents about AM internals some of them were published a few days after the breach was announced.
aminno_member.dump I don't know where does this database dump come from, but it also contains some personal data.
aminno_member_email.dump About 36 million email addresses. (Gonna make some stats on them in a second time)
member_details.dump Physical description: eyes color, weight, height, hair color, body type, "ethnicity", caption...
member_login.dump This database dump contains more than 30 million usernames + hashed passwords. The passwords are hashed with the bcrypt algorithm and a huge cost factor of 12, which makes a global attack on the password very unlikely (even for most commons passwords). However, attacking a single (or a couple) of passwords is still possible and you definitely need to change your password.
Mic is in touch with a cybersecurity firm that is analyzing the data, and will update this story when we know more.
Update: Brian Krebs, the researcher and journalist who first broke the hacking story last month, spoke to Ashley Madison's chief technology officer, Raja Bhatia, who said that there's no way hackers could have users' credit card info.
"There's definitely not credit card information, because we don't store that," Bhatia told Krebs. "We use transaction IDs, just like every other PCI compliant merchant processor. If there is full credit card data in a dump, it's not from us, because we don't even have that."
So now, we have the CTO saying there's no way hackers could have credit card info, and researchers saying that leaked credit cards have been traced back and verified. They're conflicting positions that claim to be absolute — again, we'll update with more info as it comes in.