Hackers have made us feel morally conflicted about everything from George W. Bush's majestic self-portraits to a fun Channing Tatum email, and now they've really topped themselves. On Tuesday a group calling itself Impact Team made good on its promise to release a huge cache of customer data stolen from Ashley Madison, a website for people looking to cheat on their spouses that claims to have 37 million members. Parent company Avid Life Media was hacked last month, and the New York Times reports that 9.7 gigabytes of data has been posted, including log-in details, email addresses, payment details, and encrypted passwords for members of Ashley Madison and its companion site Established Men. (A third site, Cougar Life, was hacked as well, but data on ladies seeking younger men was not included in the dump — so thank you, Impact Team?) The information first appeared on the dark web, which means its beyond the scope of your typical internet browser, but searchable databases have appeared online and are currently being combed for famous names.
Of course, the hackers argue their theft and privacy breach is completely justified. Impact Team demanded that Ashley Madison and Established Men be taken offline permanently, and the group objected in its initial statement to ALM's claim that customers could have their profile erased completely. ALM charged $19 for the service, but it allegedly kept the customer information on file. "Too bad for those men, they’re cheating dirtbags and deserve no such discretion," the hackers wrote last month. "Too bad for ALM, you promised secrecy but didn’t deliver."
In a statement posted online, ALM said it's working with law enforcement in the U.S. and Canada, where the site is based. "This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com," the company said. "The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society."
Before you start searching the name of every married person you know, you should be aware that there's a chance the data dump isn't real. ALM confirmed the breach last month, and several people have said the data posted online matches known Ashley Madison profiles, including Gawker's Sam Biddle:
it’s definitely real, I made an account on AM once when I was covering online dating stuff for gizmodo and my email is in there— Sam Biddle (@samfbiddle) August 19, 2015
But Fusion called every number in one of the files, and the only working number belonged to the wife of Ashley Madison founder Darren Morgenstern. He suggested the file was a list of dummy accounts the company used years ago for "quality control and market research."
Raja Bhatia, Ashley Madison's original chief technology officer, told Krebs on Security that the latest leak has not been verified. He's been consulting for the company since the hack, and this wouldn't be the first time a fake Ashley Madison dump appeared online. "On a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake and being used by other organizations to capture the attention that’s been built up through this release," Bhatia said. "In total we’ve looked at over 100GB of data that’s been put out there. For example, I just now got a text message from our analysis team in Israel saying that the last dump they saw was 15 gigabytes. We’re still going through that, but for the most part it looks illegitimate and many of the files aren’t even readable." Yet, Krebs thinks the dump is real:
I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.— briankrebs (@briankrebs) August 19, 2015
Aspiring cheaters still have some possible excuses. Ashley Madison has been accused of creating thousands of fake profiles; plus, as Wired notes, the site does not require email verification during sign-up. That means some people whose names appear in the dump might have had their email address submitted without their knowledge. (So let's give former U.K. prime minister Tony Blair the benefit of the doubt.)
This post has been updated throughout.