TORONTO – It appears as though the hackers who targeted Canadian-owned cheating website Ashley Madison have made good on their promise to post the stolen data online.
Hackers say they have dumped nearly 10 gigabytes of data online, allegedly containing account details and log-ins for some 32 million users of the affair facilitating website.
Wired Magazine, the first to report on the data leak, said some of the information appears to include at least seven years’ worth of credit card and payment information details.
The Toronto-based website, which offers to connect people looking to have an affair, was initially hacked last month by a group called The Impact Team. The hackers called on parent company Avid Life Media to shut down the affairs website – or risk their customers’ information being released.
According to reports, a message from the hackers posted online Tuesday read, “Time’s Up! Now everyone gets to see their data.”
Avid Life Media called the attack “an act of criminality” in a statement issued Tuesday. “We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data,” it read.
“We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort.”
Is the data authentic?
There have been some conflicting reports about the authenticity of the leaked data.
Global News has not determined the authenticity of the leaked documents, but several security analysts who have scanned the data say they believe the dump is genuine.
One of them, TrustedSec CEO Dave Kennedy, said the dump included full names, passwords, street addresses, credit card information and “an extensive amount of internal data.” In a blog post, he said it seemed the hackers had access to Ashley Madison “for a long period of time.”
Errata Security CEO Rob Graham said he had counted more than 36 million accounts – but noted many appeared to be bogus.
But Raja Bhatia, AshleyMadison’s former chief technology officer, disputed the legitimacy of the leaked data when speaking to security research Brian Krebs, who has been following the Ashley Madison scandal since it began in mid-July.
Bhatia – who has been consulting for the website since the hack – said there have been many supposed data dumps since hackers initially released some user data on July 19. However, he claimed many of those dumps included data from the initial leak and a mix of data taken from other sources.
“On a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake and being used by other organizations to capture the attention that’s been built up through this release,” Bhatia told Krebs.
“In total we’ve looked at over 100GB of data that’s been put out there. For example, I just now got a text message from our analysis team in Israel saying that the last dump they saw was 15 gigabytes. We’re still going through that, but for the most part it looks illegitimate and many of the files aren’t even readable.”
Bhatia also told Krebs that Ashley Madison does not store credit card information.
However, Krebs updated his blog post late Tuesday saying he had spoken with “three vouched sources” who had reported finding their information and the last four digits of their credit card numbers in the leaked database.
“I’m sure there are millions of Ashley Madison users who wish it weren’t so, but there is every indication this dump is the real deal,” Krebs added.
What kind of information has allegedly been released?
According to Wired, the database contains user names, addresses, phone numbers, encrypted passwords, and 36 million email addresses.
Online security magazine CSO reported that the leak contains over 15,000 government or military email addresses, ending .mil or .gov.
However, many reports point out that users may not have provided their legitimate details when signing up for the site. This is, after all, a website geared toward those who are seeking affairs and likely want to stay as under the radar as possible.
Security expert Graham Cluley pointed out that Ashley Madison didn’t require users to verify their email addresses when they’ve signed up for the service.
“So, I could have created an account at Ashley Madison with the address of firstname.lastname@example.org, but it wouldn’t have meant that Obama was a user of the site,” Cluley wrote in a blog post.
Can Ashley Madison users check to see if their information has been leaked?
Soon after news of the leak broke, websites domains such as WasHeOnAshleyMadison.com began appearing online.
Security developer Troy Hunt who runs Have I been pwned? (HIBP) – a free service that collects data from security breaches and helps people figure out if they’ve been impacted – said traffic to the website has tripled since news of the leak.
Instead he has set up a notification website which can alert users when their email address is found in a confirmed batch of leaked data.
– With files from The Associated Press