What’s in the Ashley Madison Database Hackers Released Online?

The hackers who claimed to have stolen every bit of data from Ashley Madison, a dating website intended for adulterers, have made good on their promise to release the full database if the site didn’t shut down.

Identifying themselves as Impact Team, the hackers have made available a frighteningly vast amount of data on Ashley Madison’s users and inner workings. Impact Team produced the information Tuesday, August 18, through the Tor network, a sort of parallel internet or “dark web” that keeps all traffic data anonymous.

Quartz downloaded the files. We won’t reveal any identifiable information but were able to confirm aspects of the data.

Despite some initial skepticism about the veracity of the leak, researchers are now starting to agree that it is real. Several Ashley Madison users have vouched for the last four digits of their credit cards as listed in the leaked database. One researcher even claims to have found that a listed credit card is “still valid” and in “daily use.”

The breach contains data on 32 million Ashley Madison users, including names, usernames, addresses, phone numbers, and birth dates. The data also include users’ descriptions of themselves, often revealing their intentions in using the site—things like “I May Be Spoken 4 But I Speak 4 Myself” and “Let’s start as friends…”

It also reveals several million individual credit card transactions that went to Ashley Madison. Each of these indicates the name of the person involved, their address, the last four digits of their credit card number, and the amount paid, among other information. Here is a sample transaction, with every piece of data changed—keep in mind there are over 9 million more of these:

It doesn’t stop there: The hack also contains members’ login information, meaning their username and password. Fortunately, the passwords are well enough encrypted that it would be a significant challenge to unlock all of them in one go. But because there is enough data elsewhere to find a specific individual’s username, it would be very easy to target a specific person and decrypt their password.

As researcher Robert Graham noted, the vast majority of users appear to be men, at least by their own identification when signing up. Graham counted “28-million men to 5 million women,” but added that “glancing through the credit-card transactions, I find only male names.”

That’s backed up by most common username: “Talldarkhandsome” was the chosen moniker of 32 Ashley Madison users.

Ashley Madison does not verify the authenticity of users, including their email addresses, so the account information is only as real as people wanted it to be when signing up. Many of the most common last names in the data, for example, are just single letters, as well as “Doe.”

Impact Team originally said it targeted Ashley Madison because its parent company, Avid Life Media, had deceived users by charging $19 to delete their information for good and then not actually deleting it. (That claim couldn’t immediately be verified.) The hackers said they would release the database if Avid Life Media didn’t shut down for good. The company kept operating Ashley Madison and a related site, EstablishedMen, after the hack.

Avid Life Media issued this statement about the release of its database:

This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world.