Hackers had warned website they would release user data if its owners did not agree to shutter all operations.
A hacker group made good on its pledge to release user data stolen from the affair website Ashley Madison, creating a potential privacy and security debacle for millions.
Security experts said Wednesday the files on some 32 million members of the website appeared to be genuine. Ashley Madison parent company Avid Life Media called the leak “an act of criminality” and urged anyone with information about the hackers to step forward to help law enforcement.
The data dump was first reported Tuesday by Wired magazine, which said the post on the “dark web” included millions of payment transactions, email addresses and phone numbers of people who were registered on the infidelity site.
“The database dump appears to be legitimate and contains usernames, passwords, credit card data [last four numbers], street addresses, full names, and much, much more,” said Dave Kennedy at the security firm TrustedSec in a blog post. “It also contains an extensive amount of internal data which looks like the hackers had maintained access to their environment for a long period of time.”
Security blogger Brian Krebs said that despite some initial doubts, “there is every indication this dump is the real deal.”
Krebs said on his website that “I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database.”
Independent security researcher Graham Cluley said the leak could be catastrophic for members of the website. “It’s easy to imagine that some people might be vulnerable to blackmail, if they don’t want details of their membership or sexual proclivities to become public,” Cluley said in a blog post. But he noted that an email registered in the Ashley Madison database “means nothing” because the site “never bothered to verify the email addresses given to it by users.”
The release comes a month after the data was stolen by hackers identified as the “Impact Team,” who said they were trying to shut down the site for cheaters.
Ashley Madison is known for its slogan “Life is short. Have an affair.” It helps connect people seeking to have extramarital relationships and is owned by Toronto-based Avid Life Media (ALM).
“We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data,” the group reportedly wrote in its data dump Tuesday. “I’m looking for someone who isn’t happy at home or just bored and looking for some excitement,” said one user in the data, Wired reported, while noting that about 15,000 users had government or military email addresses.
Avid Life said in a statement it was “actively monitoring and investigating this situation to determine the validity of any information posted online” and was seeking to remove “any information unlawfully released to the public.”
“This event is not an act of hacktivism, it is an act of criminality,” the company said. “It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities.”
The company decried the moral stance apparently taken by the hackers. “The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society,” the company said.
An investigation is being led by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Service and the American FBI, the company said.
The incident is the latest in a series of high-profile data breaches affecting companies as well as government databases. It comes months after a leak of stolen data from 3.9 million members of Adult FriendFinder, which claims to be “the world’s largest sex and swinger” community.
Avid Life said recently it was considering a stock flotation to help grow the business, which also includes the website for women called Cougar Life, aimed at the “recently divorced, single mom or sexy single still on the prowl,” and another dating site called Established Men.