Well, in some sense, you have to hand it to the hackers that breached online cheating website Ashley Madison last month for being good to their word. They warned the site’s parent company, Avid Life Media, that if they didn’t shut down the Web’s answer to Sodom and Gomorrah in the aftermath of the hack, they were going to release the names, nicknames, payment information and whatever else they had on the philanderers (and wannabes) that hang out on the site. Avid Life refused.
And now that data is up for grabs.
A 10-gigabyte file that is believed to hold emails, member profiles, credit card transactions and other sensitive Ashley Madison information went up as a BitTorrent download in the last 24 hours. The good people over at Ars Technica downloaded the whole shebang, and while it is so far clear that the information comes from some kind of clandestine dating site, there is nothing that draws an irrefutable straight line to Ashley Madison. User data included email addresses, profile descriptions, addresses provided by users, weight and height. Payment data was also up for grabs — though that has been redacted apparently, as card numbers and billing addresses do not appear.
The dump also included a series of cryptographically protected passwords, according to Rob Graham, CEO of Errata Security. The good news is that those passwords were protected with the bcrypt hashing algorithm, which is difficult for hackers to crack because it takes a lot of time and processing power. But, since most people don’t use terribly strong passwords — 1234567 being a common favorite — odds are good that some people’s passwords will totally be pwned in the near future.
Ashley Madison officials have not completely confirmed the data as of yet.
“We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data,” they wrote in an email to Ars. “We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.”
According to sources on 8chan and other sites where the dump is being discussed, some of the data appears to have been falsified, though how much remains under investigation.