Ashley Madison Data Breach Dump
The Ashley Madison data breach dump a few days ago has had a profound impact on many people whose email and personal information may be associated with this data dump. The release of personal information for 32 million registered users of AshleyMadison.com, a website for connecting people who want to have affairs, is likely to also have long lasting impact on the cyber security landscape. Massive data breaches have been routine over the last couple of years as I mentioned in other blog posts. The Ashley Madison data breach differs as it focused on identifying compromising information which affects people’s lives other than financially. And this is proving to affect a wide range of regular everyday people.
It seems like every media publication has jumped all over this story as they begin analyzing the data and going on a witch hunt to try to identify high profile news worthy men who they can tie to the data breach. The morality of this whole issue can be read in other articles. But I wanted to get some information out to our readers on some of the home cyber security ramifications related to this data breach.
The data released by the hackers includes names, addresses and phone numbers submitted by users of the site. It’s unclear if members provided legitimate details. A sampling of the data indicates that users likely provided random numbers and addresses, but files containing credit card transactions will yield real names and addresses, unless members of the site used anonymous pre-paid cards.
Once the data was finally released by the hackers, this became probably one of the biggest scarlet-letter witch hunt in the history of the world. It’s amazing how much the media has pounced on the release of information and combed through all of the data. I have seen information breakdowns on the number of accounts per state, number of accounts per educational institution, even number of accounts per professional sports franchises. I have seen stories in media of high profile people coming out that they are members of the Ashley Madison website and explaining why they have an account there, including GOP executives, YouTube sensations, and TV personalities.
There are several stories where people are providing reporters stories on how they are being affected by the breach with, including mistresses and wives of cheaters. Radio stations have threatened to release the names of local members of the site. This just shows how information on the internet can spread quickly for the world to see and how media likes to exploit these data breaches and drum up stories with no concern on how it affects everyday folks.
Many sites have popped up offering to check an email address to determine whether the email address was one of the 32 million that was released in the breach. I am not providing the links in this blog post because I do not want to promote the witch hunt currently going on. If the readers want to find out where to go to see if your spouse email is part of the data breach, these sites can easily be found on Google.
The one site I would recommend though is “Have I Been Pwned”, a site that tracks major data breaches around the Web not just the Ashley Madison Breach. “Have I Been Pwned” just finished loading more than 30.6 million e-mail addresses into its database. But unlike the other sites, however, “Have I Been Pwned” will only share data from the Ashley Madison leak with users who have verified their e-mail address with the service and subscribed for notifications. In other words, “Have I Been Pwned” will not allow suspicious spouses, nosy co-workers or other passerby to see if someone else was an Ashley Madison user. It will only allow the actual user to check if his or her name was included in the leak. I have used this site to verify my emails haven’t been compromised by all the other data breaches that have happened. This is a site I would recommend to everyone, not just those exposed by the Ashley Madison Hack.
The following are the key things I want to stress to our readers who may be considering downloading the data or visiting sites to determine if an email is associated with the Ashley Madison data dump:
- Ashley Madison’s sign-up process does not require verification of an email address to set up an account. Therefore, legitimate addresses might have been hijacked and used by some members of the site. For example, one data dump showed the official email address belonging to former UK Prime Minister (Tony Blair).
- If you simply must search the list, the safest way to do so is to go to one of the multiple searchable database sites that have been created using the stolen data or using “Have I Been Pwnd” as I mentioned above. But, cyber criminals can easily set up fake sites offering to check an email address to gather your email address for malware threats later. Also, many sites claim to have the leaked database are fake and the information is inaccurate and are used to download malware and viruses.
- To access the actual leaked data to download, it is potentially dangerous if those who are curious don’t know what they are doing. The actual database that was released can only be accessed by the Dark Web and requires some technical know-how. The Dark Web is a series of networks accessible only by running specific software and, in some cases, with specific authorization. Running this software to download the databases could expose your computer to spyware, viruses and theft of your personal information. Therefore, I do not recommend our readers download the actual database. I for one, only access the Dark Web with a laptop that is dedicated to my security work and has no connection to my personal data.
- The Ashley Madison database is actually considered stolen property. Therefore, it’s most likely illegal to have the database. Downloading it is legally the same as downloading a pirated movie. Now it is highly unlikely that the police or Ashley Madison lawyers would come after you for downloading the data base, but that does not change the fact that it’s still illegal. And if anyone tries to use this data for extortion or blackmail, then that would definitely be breaking the law.
- According to security firms and to a review of several emails posted on the internet, extortionists already see easy pickings in the leaked Ashley Madison user database. Members of Ashley Madison know that life would be “incredibly disrupted” if extortionists made good on their threats and release the information to someone’s significant other or employer. Therefore, they are more likely to pay the ransom and are easy targets for extortionists.
- Cyber criminals most likely will be leveraging the Ashley Madison data to conduct spear-phishing attacks aimed at delivering malicious software such as ransomware, a different type of extortion threat that locks the victim’s most treasured files with a secret encryption key unless and until the victim pays a ransom. The same criminals who enjoy deploying ransomware would love to use this data to get people to click on links that downloads the ransomware code.
- The leaked Ashley Madison data could also be useful for extorting U.S. military personnel and potentially stealing U.S. government secrets, experts fear. Some 15,000 email addresses ending in dot-mil (the top-level domain for the U.S. military) were included in the leaked Ashley Madison database, and this has top military officials a little concerned. Criminals may also target spouses of people whose information are included on the data base to infect the spouse as a way to eventually steal information from the real target.
- Members might have joined the site years before when they were single and be shocked that they still have their details in their database. People curious about the site likely created dummy accounts to see what it was all about. Some might have joined the site out of curiosity or for a laugh or even to find out if someone else was on the site, never seriously planning to take things any further. The lesson here is that once anyone puts anything on the internet, the records are probably kept on some server somewhere forever, and there is always a possibility of that server being compromised.
- Certain employers will react negatively to the knowledge that their employees were using the site, and people could lose their jobs as a result. Government employees who could become subject to blackmail; schoolteachers in more conservative districts; elected officials; CEOs — all of these could face professional consequences, along with anyone else who has a morals clause in their employment contract. This is a good lesson for people to learn, that people need to keep their work life separated from their home life with respect to their IT equipment and emails.
- It’s rather shocking that people wouldn’t use fake emails, and pseudonyms. This seems really straight forward for a community of people who regularly cheat on their spouses. I really hope all the Ashley Madison members who used their work email, government email (i.e. 15,000 .gov or .mil addresses associated with the breach), or primary or work email account to sign up for membership on the Ashley Madison site would learn some basic home cyber security common sense. This would have probably saved them from a lot of agony coming up, with the possibility of lost jobs, broken relationships, and becoming targets of cybercrimes in the future.
The Ashley Madison hack is good lesson for the home user concerning the privacy of information online. Cheating spouse or not, the users of Ashley Madison deserve privacy as much as anyone else. The simple painful truth of the matter is that whatever is online is not guaranteed to be private. We are currently living in a world where we can expect more of our communications to eventually be made public, unless we abandon all of our online activity. The Internet may resemble Las Vegas in many respects, but what happens on the internet does not stay there. It is very difficult to hold companies responsible when they fail to protect our data. Unless we can pressure companies to purge our data more on a regular basis, it seems hopeless that we can limit our exposure risk in the likelihood of an eventual hack.
In summary, the most important thing that I see from this Ashley Madison data breach dump is the power of the Hackers on major companies and everyday people. Avid Life values itself at $1 Billion, but with numerous civil class action lawsuits against the company and the damage to the company’s credibility, I will be surprised if Ashley Madison and similar websites will survive. Hopefully, this breach leads other companies to adopt better privacy and security practices. But if we’ve learned anything from the never-ending series of data breaches, it’s that over a long enough time period, all sites are likely to fall victim to hackers. The key points for the home users are to understand the threats that these hacks present and learn how to minimize the effects of these inevitable hacks.