When casual sex and cheating site Ashley Madison was hacked last month, the perpetrators gained access to personal data for millions of users, and threatened to release it unless parent company Avid Life Media took the site and its sister enterprise Established Men down for good. Now, less than a month after the data was stolen, it has allegedly surfaced online. The records currently available appear to include credit card details, in addition to addresses, phone numbers, and names of users.
A searchable database has been constructed from the information
The information was first posted on the dark web, before the group behind the attacks — calling itself the Impact Team — announced its release on Reddit earlier this week. A searchable database has been constructed using the information, allowing interested parties to search for people by name or email address, and returning details including their sexual preference, contact details, body type, and fetishes. User passwords are encrypted with the bcrypt algorithm, suggesting that Ashley Madison at least took steps to secure that information while on file, but Robert Graham, CEO of Erratasec, told Wired that "hackers are still likely to be able to ‘crack' many of these hashes in order to discover the account holder's original password."
Avid Life Media confirmed on Tuesday that the FBI was investigating the hack, along with Canadian police services. A company statement, however, stopped short of saying that the latest release was actual data. "We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort," wrote social media director Anthony Macri. Separately, journalist and security expert Brian Krebs says he's spoken to three sources who found their names and the last four digits of their credit cards in the database.
In its Reddit post, the Impact Team referenced its earlier demand that Avid Life Media take down Ashley Madison and Established Men, having previously characterized the latter as "a prostitution / human trafficking website for rich men to pay for sex." It also hit out at Ashley Madison for its "full delete" feature, a $19 service which promised to scrub data from the company's records, but allegedly allowed the company to keep customer information on file. "Find yourself in here?" the group asks about the leaked records, before pinning the blame on Ashley Madison's creators. "It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you'll get over it."
Update August 19th, 9AM ET: Added statement from Avid Life Media and report from Brian Krebs.