Ashley Madison data dump: What's at risk and for whom
Site faces $760 million class-action lawsuit over privacy concerns
A group of web-based vigilantes might be responsible for an increase in the casework of divorce lawyers this week.
That's because an anonymous online group released more than 30 million email addresses of customers of the infidelity website Ashley Madison.
It then ramped up its vendetta against the site in a second data dump Friday, which included emails sent out by the company's founder while mocking him in a message: "Hey Noel, you can admit it's real now."
Who is responsible?
A group calling themselves Impact Team is claiming they are behind the data leak.
The group posted a manifesto online last month, which said they have taken over Avid Life Media's "entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases ..."
The group does not express affiliation with either the hacker collective known as Anonymous or another one known as Lizard Squad.
The company suspects one of the people responsible may be a former employee or contractor that "at least at one time had legitimate, inside access to the company's networks," Avid Life Media's CEO Noel Biderman told cybersecurity writer Brian Krebs.
Was it a hack?
It's unclear how Impact Team secured the data.
In its manifesto, the group claims, "we have hacked them completely."
An Avid Life Media statement refers to the incident as an "attack."
"This event is not an act of hacktivism," reads a statement from Avid Life Media, "it is an act of criminality."
Why did they do it?
Impact Team demanded that Avid Life Media take down its Ashley Madison site as well as one called Established Men, a website claiming to connect "young, beautiful women with interesting men."
The group takes issue with what it calls the company's "fraud, deceit and stupidity," it says in a statement.
It claims the company made millions of dollars through fraudulent services, like offering users the ability to have their information permanently deleted from its system for a fee. Impact Team claims the service is "a complete lie;" but the company defends it.
Is the data real?
Several sources have verified the data is authentic.
But, that doesn't mean anyone whose email address appears in the leak is guilty of having an affair.
The company requires users to register with an email address, but does not require email verification. So many of these addresses are clearly made up.
For example, at least 16 users signed up pretending to be the current or a former U.S. president, Vanity Fair reported. Former British prime minister Tony Blair's email also appears, Wired reported, and firstname.lastname@example.org is for a domain that doesn't exist.
Still, at least one high-profile individual's extra-marital affair was revealed by the leak. Ex-reality-TV star Josh Duggar apologized for cheating on his wife after his name appeared in the leaked data.
How could it impact people?
While some marriages may hit rough waters because of the leaks, and divorce lawyers are gearing up for an unexpectedly busy season, there may be other consequences too.
I am about to be killed, tortured, or exiled.- Reddit user
For example, one person who commented on an article in The Intercept said she's been "a long term member" of the site because her spouse's medical condition has affected their intimate life.
Her spouse knows she's engaged with other Ashley Madison members, she says, but now fears she will likely lose friends and have to find a new job now that her association with the site is out there.
At least one person has expressed concerns over his physical safety.
- National lawsuit filed against parent company
- Cheating spouses unlikely to be dissuaded, researcher says
- Affairs are 'unCanadian,' John Oliver says
"I am from a country where homosexuality carries the death penalty," wrote one anonymous Reddit user before the data was exposed, begging the party responsible not to publish the data.
He said he lives in Saudi Arabia, but used Ashley Madison "to hook up with single guys" while studying in the U.S.
"I am about to be killed, tortured, or exiled," he wrote. "And I did nothing wrong." (A few days later, he posted that he was working with a law firm that specializes in refugees and would be travelling to the U.S. soon.)
There are a number of other countries where homosexuality is illegal and punishable by death, and more than two dozen others where people can go to jail if found guilty.
In the U.S., criminal charges are also a possibility for military personnel. The Uniform Code of Military Justice allows for adultery to be considered a criminal offense, depending on the circumstances.
Other employees who are subject to morality clauses in their employment contracts may face trouble. As might government employees who registered with their .gov email addresses or used work computers to access the site.
Security experts have warned of blackmail, and there have already been some attempts.
CoinDesk and Stuff both reported incidents of someone using the pseudonym Team GrayFlay demanding alleged Ashley Madison users send about $450 US (or about $590 Cdn) worth of Bitcoin or have their alleged infidelity exposed to their significant other.
What's the corporate hit?
The company, too, may have some financial troubles ahead.
Lawyers launched a class-action lawsuit, representing Canadian victims. They're seeking some $760 million in damages. Avid Life Media indefinitely postponed Ashley Madison's upcoming initial public offering in London. The company hoped to raise up to $200 million US.
Ashley Madison is conducting an independent investigation to determine "the origin, nature and scope of this attack."
The RCMP, the Ontario Provincial Police, the Toronto police and the U.S. Federal Bureau of Investigation are all looking into the breach, according to Avid Life Media, which says it's fully co-operating with all four agencies.
Unless those investigations find the people responsible, there is the potential that Impact Team may leak more data — should they not have released it all already.
Avid Life Media has not revealed how much about what sort of data was stolen in the breach, although it has assured its clients that full credit card numbers were not taken, saying it has never stored that information.
With files from The Associated Press, the Canadian Press, Reuters