recommended reading

What’s in the Ashley Madison Database Hackers Released Online?

Lee Jin-man/AP File Photo

The hackers who claimed to have stolen every bit of data from Ashley Madison, a dating website intended for adulterers, have made good on their promise to release the full database if the site didn’t shut down.

Identifying themselves as Impact Team, the hackers have made available a frighteningly vast amount of data on Ashley Madison’s users and inner workings. Impact Team produced the information Tuesday, August 18, through the Tor network, a sort of parallel internet or “dark web” that keeps all traffic data anonymous.

Impact Team's announcement.
Impact Team’s announcement.

Quartz downloaded the files. We won’t reveal any identifiable information but were able to confirm aspects of the data.

Despite some initial skepticism about the veracity of the leak, researchers are now starting to agree that it is real. Several Ashley Madison users have vouched for the last four digits of their credit cards as listed in the leaked database. One researcher even claims to have found that a listed credit card is “still valid” and in “daily use.”

The breach contains data on 32 million Ashley Madison users, including names, usernames, addresses, phone numbers, and birth dates. The data also include users’ descriptions of themselves, often revealing their intentions in using the site—things like “I May Be Spoken 4 But I Speak 4 Myself” and “Let’s start as friends…”

It also reveals several million individual credit card transactions that went to Ashley Madison. Each of these indicates the name of the person involved, their address, the last four digits of their credit card number, and the amount paid, among other information. Here is a sample transaction, with every piece of data changed—keep in mind there are over 9 million more of these:

Column Value
AMOUNT 72
AUTH CODE 294722
CARD ENDING 7382
FIRST NAME 37592837
LAST NAME SOME NAME
DATE 6/20/14 0:00
CITY NEW YORK
COUNTRY US
EMAIL EXAMPLE@EXAMPLE.COM
STATE NY
CONSUMER_IP XX.XX.XXX.XXX

It doesn’t stop there: The hack also contains members’ login information, meaning their username and password. Fortunately, the passwords are well enough encrypted that it would be a significant challenge to unlock all of them in one go. But because there is enough data elsewhere to find a specific individual’s username, it would be very easy to target a specific person and decrypt their password.

As researcher Robert Graham noted, the vast majority of users appear to be men, at least by their own identification when signing up. Graham counted “28-million men to 5 million women,” but added that “glancing through the credit-card transactions, I find only male names.”

That’s backed up by most common username: “Talldarkhandsome” was the chosen moniker of 32 Ashley Madison users.

Ashley Madison does not verify the authenticity of users, including their email addresses, so the account information is only as real as people wanted it to be when signing up. Many of the most common last names in the data, for example, are just single letters, as well as “Doe.”

“Last name” Number
M 343
B 305
S 302
C 244
D 233
A 205
H 171
G 166
Doe 161
L 154
K 146
P 143
R 132
J 132
T 124
W 118

Impact Team originally said it targeted Ashley Madison because its parent company, Avid Life Media, had deceived users by charging $19 to delete their information for good and then not actually deleting it. (That claim couldn’t immediately be verified.) The hackers said they would release the database if Avid Life Media didn’t shut down for good. The company kept operating Ashley Madison and a related site, EstablishedMen, after the hack.

Avid Life Media issued this statement about the release of its database:

This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov