What is the Ashley Madison data leak?
On August 19th a hacker group called The Impact Team released a download of a huge amount (9.7Gb) of data stolen from the Ashley Madison website servers. It contains a lot of personal, private information from their members. They put this on the TOR Dark Net and then pretty quickly it was shared on Torrent Sites like The Pirate Bay.
Infidelity is generally perceived to be BAD
Your wife or husband may be extremely upset that you sought out an affair and may terminate your marriage. This will probably create an extremely expensive and painful crisis in your life.
Your children may be negatively affected if they find out you sought out or had an affair.
Infidelity is generally considered to be socially repugnant even if your partner accepts it. If your employer, friends, peers and others become aware that you went on a website to seek out an affair, they may think less of you. Don’t fool yourself. You may even get fired or passed over for future promotion.
How will anyone find out I was on Ashley Madison just because the data was leaked?
The data is in a database dump format but very easy for programmers to convert into a browseable format in a nice graphical user interface website. THIS WILL HAPPEN. Currently there are already tools for checking if an email is in the website database. These tools were quickly programmed and are being refined as we speak: (https://ashley.cynic.al/, http://www.trustify.info/check and others.)
What will come next?
It is just a matter of time before someone makes a website that hosts profiles for all of the usernames and associates them with their email addresses and real names. So it is our prediction that in a couple of weeks you will start to see websites showing up if you Google your name which show your dirty pictures, fantasies, maybe chats and any other information that you entered into Ashley Madison. THIS WILL HAPPEN.
What data is out there?
- Millions of credit card transaction records including full billing name, address, city, last 4 digits and billing email address.
- Creation date and last updated date
- Membership status and type of account (listed as a 0, 1, 2, or 3)
- First name and last name (at least, the one given) and nickname
- Street address, including city, province/date, zip/postal code, and in many cases even the latitude and longitude corresponding to the address.
- Up to three phone numbers, including work and mobile (if provided)
- Gender (approximately 27 million male-identified and 4.4 million female-identified accounts, which is about a 6-to-1 ratio with 2 million not provided)
- Date of birth
- Profile caption (examples include "Sexy beast." and "Like Long Walks On The Beach.")
- Weight and height, the latter of which seems to be listed in centimeters
- Certain attributes — ethnicity, body type, whether you drink or smoke, what you're initially seeking, and what you're relationship status is — are listed as just a number instead of a full text value. There's no key provided, but certain numbers can be discerned in context (e.g. ethnicity "1" seems to be white, while "3" is Asian).
- What you're open to, what you're looking for, and what turns you on — all listed as an array of numbers (corresponding to a menu of options - which we have), a self-submitted description, or a combination of the two.
- Security questions (listed as a number; for example "2" might represent what high school you went to) and answers (in text)
Do you want your profile like this coming up when your boss or children Google you?
- Have you been maliciously added to the Ashley Madison website by an enemy or competitor?
- Did you legitimately sign up for the website in a moment of weakness but now your marriage is fine and you are scared of the consequences?
- Are you worried about being embarrassed professionally due to your private sexual fantasies being released to the public?
We share your concern regarding the Ashley Madison leak and have developed a service to protect your name.
Our Ashley Madison Leak Protection Service
- Have the data queried (through a third party) and provide a full report of all of your exposed data, if any.
- Perform our Personal Suppression service to fill your first page of Google with other information to prevent Ashley Madison leak information from reaching the first page and damaging your reputation.
- Clean up mentions of your name wherever possible.
- Provide expert advice to help you navigate the waters as the impacts of this leak progress.
$3,000 CAD + taxes per month. Month to month. No commitment required.
In the first month we will provide a report with all information in the leak and offer you a strategy to protect yourself. We will also answer your questions related to your exposure. Additional months will be required to execute the defense strategy.
Our service will dramatically improve your professional online reputation in addition to protecting you from the impacts of the leak.
Call us if you have any questions that are not answered above: (416) 934-5023
Frequently Asked Questions
- ~June 28th: IT finalizes their data dump in preparation of going public with their hack.
- ~July 12th: AM is made aware of a hack on their systems.
- July 18th: The public is made aware of the AM hack.
- August 18th: The first data dump is made. (this is the bad one for users, but also includes a lot of internal AM info)
- August 20th: The second data dump is made. (this one is mostly source code and internal information on AM, nothing of interest to users, basically)
- August 21st: The third data dump is made (This is the one with NB's emails. Bad stuff here for him, not you). Motherboard publishes an interview with someone from IT.
- August 24th: TPS holds a press conference to answer questions. a $500,000CDN reward is offered for information.
- August 26th: Brian Krebs publishes an article that implies a possible, but unverified lead.
- August 28th: NB steps down as the CEO
Am I identifiable?
It depends on how much personal info in your profile was real. If it was vague, you used a burner email, and never paid for anything, you're almost certainly safe.
What if I paid with a CC?
You are probably identified in the first data dump. However, only the last 4 digits of your card MAY be there. No full credit card info is available. How much PII is there seems to vary from just a name in some cases, to full name, address, email, etc.
What if I paid with PayPal or gift/prepaid card?
You are probably safe, though your account data may indicate you were possibly a paid member. There appears to be no PII on the accounts that used PayPal though. THIS DOESN'T NECESSARILY APPLY IF YOU USED A PAYPAL ISSUED CREDIT/DEBIT CARD. A card is still a card and is processed the same regardless of who issued it, meaning you exposed yourself. When I say "paid with PayPal," I mean you specifically used the PayPal service itself.
What if I used the paid delete?
See above. Paid delete didn't actually remove your account records, and your payment info is likely stored if you used a CC. If you used paid delete with PayPal, most info on you is gone, though there's still a record that your account existed, but many fields just got replaced with '<paid_delete>'. That's not a problem for you though, since no one should have any way to connect those dots back to you. Unless you used a CC. Because the reality is, profile data alone isn't much good for identifying people unless you were super stupid in your profile details. It's the payment paper trail that's nailing users.
How far back does data go?
Account related data that was compromised appears to run from 1/26/2002 until 2/23/2015. Credit card transaction data runs from March 21, 2008 up to June 28, 2015. This means any RECENT (after Feb. 23) registrant that didn't pay is almost certainly NOT in the dump. Likewise, EARLY accounts might be there, but if you didn't pay for anything after early 2008, there's very likely no PII on you in there.
I'm pretty sure I paid with a CC, but I don't seem to show up. Why?
Luck? Bad memory on your part? Maybe you searched poorly? Probably luck. There are SOME gaps in the CC transaction data dump. It's possible you just got lucky and landed in one of those dark spots. Maybe the AM system glitched and didn't record it properly. Maybe the process IT used to pull data wasn't 100% reliable. Who knows? If you aren't there and genuinely expected to be, count it as a blessing. Don't ask why though, because there isn't an answer to that. Only guesses.
How accurate is the location data?
Not very. If you moved your account location around to check different areas, you likely have at least two different zip codes associated with your account (whatever you put in when you registered, and whatever you last had on the account settings - they were stored separately). Lat/Long data in the dumps are based on those zip codes and won't show exactly where you sit. AM did NOT use HTML5 geolocation data. Accounts can and in many cases do have a confusing mix of zip codes, cities, states, and IPs.
What about pictures and messages?
At this time, these are NOT available. IT has implied they have SOME of this data, but apparently not all. They have also indicated it may be selectively released. It is unclear if they also have the data to link photos to accounts, though it's likely they do. The interview they gave implied a huge number were dick picks that they had no interest in releasing, but the overall number of pics they said they had seemed very small for the number of accounts out there.
The only "messages" out there are internal emails and communication from the company.
When will X happen?
WE DON'T KNOW. IT is going to do whatever they want to do. They may feel like the mission has been accomplished. Maybe not. It's impossible to tell. They may be identified and arrested, maybe not. They may focus on burying the company, they may spray data everywhere and let users continue to be collateral damage. We don't know what we don't know, which is a lot, so don't ask.
Why is AM still open/Why is Site X still up?
Because they are.
Where is "that site" where I can see if I'm posted?
On the internet somewhere. Don't ask for the links. Don't share the links with people asking. You're only helping spread exposure of given sites that way. If you can't find it, that's a good thing. There are a couple well documented sites where you can check your email address in the dump, otherwise, you don't need to see the other sites. Either you're compromised, or you aren't. If you really want to know, get the data yourself and look. Otherwise it doesn't matter if you show up on "that site" versus "that other site."
If images are released, but I had no other PII, how screwed am I?
On a scale of 1 to 10: pecan tree. Depends on your account data and how search sites tie it all together. People have repeatedly mentioned reverse image search, but while that's great on an individual image basis, it's pretty hard to do in a bulk manner in a way that could bring it back to you. If you're that worried, just remove the images that you might have posted elsewhere. The odds of someone randomly browsing tens of thousands of photos and recognizing your specific face are pretty much zero, so chill out.
Aren't cheaters getting what they deserve?
No. First, let's start by pointing out that two wrongs don't make a right. Secondly, plenty of people on the site were single, in open relationships, or swingers. Third, taking pleasure in other's pain and suffering is a pretty equally sick thing to do, especially if families are involved, and even moreso if people had long since moved past problems that sent them to the site to begin with. Forth, plenty of people may be held to account for being on the site BEFORE whatever relationship they are in now. Using the site wasn't illegal. And different people can have VERY different definitions of what constitutes cheating. Is going to a strip club cheating? Is having a conversation? Is meeting someone for a drink? Different people will interpret all those differently, and it's between those couples to define their limits, the mob doesn't get to decide.
To protect against photo reverse image search, is a full delete of the account sufficient or do they have to be removed separately before?
No way to know without having IT's data. Too many variables depending on when they pulled information and how. Profile data in the dump DID indicate how many public and private photos were available. If I were to guess, if you removed the photos prior to IT pulling data, you may be safe. But based on how AM handled OTHER data it's reasonable to assume they may have retained all image data and references, and just flagged them as either active or not. So in the end, see above, we don't know what we don't know, and there's not enough available information to piece together more than a guess.
If you really want to protect against reverse image search, make whatever images you used private anywhere else they're shared at.
Can you tell me if X is in the dump?
Yes, we have a service for that. Sign up above.
How do we report a site sharing the data?
Depends on where it is. If it's on social media, all sites like Facebook, Twitter, etc have means of reporting content that violates their TOS, and sharing the AM data most definitely violates it for most sites. If it's a website, use a 'whois' tool on the domain to find out who's hosting it, go to the host's site, and find their reporting tool. The same is again true that the site probably violates the host's TOS. However, keep in mind, sites hosted in other countries may not be subject to US or CA rules.
How do we DDoS sites hosting the AM data?
You don't. Don't do that. Don't ask how. If you have to ask, then you aren't technically savvy enough to do it and will potentially expose yourself to criminal prosecution as well. As above, two wrongs don't make a right, and executing a DDoS attack can get you prosecuted in most places. That doesn't mean it's likely the police will show up at your door, but why risk that, really?
I saw a site offering to help forge data to make it look like it wasn't me using the site, should I use it?
No. Hell no, man. Come on. You were already stupid enough to use AM, and stupid enough to feel like you need someone to help you cover your exposed tracks. Don't be so stupid as to give an unknown third part MORE money and info on yourself. If you're exposed, damage done. You can't pay someone to go back in time. Don't pile lies on lies. If consequences come your way, take them and deal with them like a man (or the very unlikely woman) you are.