The hackers responsible for breaking into the systems of cheating Web site Ashley Madison have apparently made good on their threat to publicly dump data about the site's millions of users. First revealed in July, the hack attack by a group calling itself the "Impact Team" was launched with a warning for the site -- as well as another site called Established Men -- to shut down.
Run by a Canada-based company called Avid Life Media, Ashley Madison was founded in 2001 and has a reported 33 million users in 46 countries. Established Men, launched in 2009 to connect "young, beautiful women with rich, successful men" does not provide online information about the number of users. A third site operated by the company -- CougarLife.com, aimed at single women and also founded in 2009 -- has a reported 5 million users and does not appear to have been targeted by the Impact Team.
Yesterday, the hackers published 9.7 gigabytes of data on the dark Web, reportedly containing user information taken from the Avid Media Life sites during last month's hack attack. According to a text message titled "Time's Up!" accompanying the files, "Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data."
'Not Hacktivism but Criminality'
Avid Life Media is "actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort," according to a statement posted yesterday on the Ashley Madison Web site.
The ongoing investigation into the hack attack is being conducted with the help of the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.
Avid Life Media condemned the attack as "not an act of hacktivism" but "an act of criminality."
"It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities," the company said. "The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society."
A spokesperson for Avid Life Media told us today that the company is not currently giving interviews and does not have any additional information beyond what was provided in the statement posted online.
Fear of 'Genuine Casualties'
Although much of the online discussion in social media following the hack has expressed amusement at the fact that would-be cheaters are being publicly exposed, finding a person's name in the data dump "doesn't mean that person was a real user," as the Ashley Madison site didn't appear to verify users' e-mail addresses upon registration, noted security writer Brian Krebs in a blog post yesterday. However, Krebs added in an update that "there is every indication this dump is the real deal."
Computer security analyst Graham Cluley offered an even stronger warning in his latest blog post.
"It's easy to imagine that some people might be vulnerable to blackmail, if they don't want details of their membership or sexual proclivities to become public," he said, adding "there could be genuine casualties as a result" if some users are driven to suicide by the release of their personal data.
An analysis of e-mail addresses from the data dump posted on Pastebin showed numerous domains from various branches of the U.S. military and government agencies. As several observers have noted, members of the armed services in the U.S. found guilty of fidelity can be dishonorably discharged and lose their pensions.
Other e-mail addresses found in the dump included university domains and even a work e-mail for former U.K. Prime Minister Tony Blair.
"This represents another significant escalation in terms of what attackers are doing and could do. It's no longer just about credit cards and money, it's about people's lives and livelihoods," said Christopher Budd, manager of global threat communications at the security firm Trend Micro, after the hack was revealed last month.
We reached out to Budd today to learn more about his thoughts in the wake of this week's data dump.
"This confirms that encryption alone isn't security," he told us via e-mail. "Businesses must utilize multiple layers of technologies, processes and people -- working in conjunction with one another -- to secure and provide ongoing protection of their data."
Budd added that the chances of any members of the Impact Team being identified and caught were "zero."
"Chasing down cybercriminals in large-scale cases involve a great deal of work and cooperation from law enforcement and other entities," he said. "A case like this usually doesn't rise to the necessary level to allocate those limited resources away from other cases like child exploitation/pornography."
According to Trend Micro, which recently published a report on sextortion schemes, the Ashley Madison hack clearly demonstrated that "privacy is non-existent in the absence of security."
Trend Micro's Chief Cybersecurity Officer Tom Kellermann told us, "The ramifications of the Ashley Madison hack will not only play out in the public eye, but behind closed doors as numerous victims, suffering in silence, are targeted and blackmailed with their own personal communications being sold within the deep Web."
He added the hack's impact could eventually extend beyond users to the workplaces whose technologies might have been used to access the Ashley Madison site.
"From a legal perspective, the liabilities are endless and the impact could be felt over the duration of months and even years," Kellermann said.