If Ashley Madison breach is authentic, fallout catastrophic for lives and careers

20 Aug 2015

Security researchers say the Ashley Madison data dump is authentic, leading to consequences for the 33m users of the cheating website.

The Ashley Madison database dump containing usernames, passwords, credit card details, street addresses and more has been verified by researchers as authentic, leading to major legal consequences for Avid Life Media (ALM) but also personal and professional consequences for the 33m users of the cheating website.

The website boasted that if gave married people the ability to seek potential partners for affairs in a private and secure way.

However, a hacker collective calling itself the Impact Team attacked the site claiming it was a scam because the majority of its users were male, and also because it objected to the morality of the service, and dumped 10GB of compressed data on the TOR network.

In recent days, ALM hit out at the attackers and left open the possibility that the data could be fake. However, security researchers have found that the data could be legitimate, spelling consequences for 33m users worldwide.

‘This dump appears to be legit. Very, very legit’
– DAVE KENNEDY

Security researchers and media who created accounts on Ashley Madison have found that the details they submitted are contained on the dumped database, confirming that 33m people’s details are now online. There include 115,000 Irish users of the site, with Ireland ranked 10th per capita globally on the list of worldwide members seeking opportunities to cheat, The Irish Times previously reported.

The consequences for ALM could be devastating, opening the company up to a litany of lawsuits from people who were assured their data was protected.

Consequences for individuals who used the website could be just as devastating, possibly serving as evidence of willingness to commit adultery leading to divorce, hurt for spouses or just simply embarrassment.

It could also be professionally devastating for some users — according to the data dump some 15,000 users were members of the US military.

A full-scale compromise of Ashley Madison’s infrastructure

ashley-madison-data-dump

The database dump appears to be legitimate and contains usernames, passwords, credit card data (last four digits), street addresses, full names, and much much more

“The database dump appears to be legitimate and contains usernames, passwords, credit card data (last four digits), street addresses, full names, and much much more. It also contains an extensive amount of internal data which looks like the hackers had maintained access to their environment for a long period of time,” Dave Kennedy from TrustedSec said in a blog post.

“This included a full domain dump of corporate passwords (NTLM hashes) of the Windows domain of the company, PayPal accounts and passwords for the company, internal-only documents, and a ton more.

“The biggest indicators to legitimacy comes from these internal documents, much containing sensitive internal data relating to the server infrastructure, org charts, and more. This is much more problematic as it’s not just a database dump, this is a full-scale compromise of the entire company’s infrastructure, including Windows domain and more.

“Regardless of ethics, this is a massive data breach where attackers had full, and maintained, access to a large percentage of Ashley Madison’s organisation undetected for a long period of time. Ashley Madison has not commented on the original source of the breach, how it occurred, or how they were compromised.

“This dump appears to be legit. Very, very legit,” Kennedy said.

Break-up image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com