HACKING

What Security Experts Want You To Know About The Ashley Madison Hack

Some websites are already offering access to the full list of names and emails from the leak, but a community of security experts is offering more responsible solutions

HACKING
(Photo: Dreamstime, Photo Illustration: Robert A. Di Ieso/Vocativ)
Aug 19, 2015 at 12:30 PM ET

Security experts online were hard at work Wednesday attempting to ensure that the data released from the Ashley Madison hack would be used as responsibly as data about millions of potential adulterers could possibly be.

The hackers initially released the data they gleaned from Ashley Madison on a site viewable only through Tor, the anonymity-providing web browser. Since the posting, security experts have been working to order the database in a way that allows potentially affected users to see if their accounts are included in the leak but still keep the data private.

One popular site is HaveIBeenPwned, which allows people to see if any kind of personal account has been breached. The site is operated by Troy Hunt, a cyber security specialist. Ashley Madison users who may have been affected can sign up to be notified if their information is included in the hack, but only users who have “verified their email address will be able to discover if they were in the breach due to the sensitivity of the data,” the site says.

The immediate response was huge.

[Update: At 5pm, Hunt said in a direct message on Twitter that “about 20K have signed up and verified since the leak.”]

Crucially, Hunt has not made the site accessible to all internet users. “I don’t believe it’s responsible to make all the AM accounts discoverable by anyone,” he wrote. “Yes, they will be through various other routes anyway, but I’m not prepared for HIBP to be the avenue through which a wife discovers her husband is cheating or something even worse happens.”

Still, sites are beginning to pop up that are not as responsible with the leak.

In addition to websites that allow people to search any email address they like, on Reddit, a user called I-Have-The-AM-Data posted a thread in which they offered to tell people if they appear in the database. “Ask me your questions here, if it’s feasible I will answer your questions,” the user wrote. “If it will reveal anything personal please [personal message] me your questions.”

One complicating factor in going through the database is that Ashley Madison didn’t make users verify their accounts, or the emails they used with them. As a result, some of the names and email addresses that appear in the database are almost certainly fake, or belong to people who didn’t actually sign up. “I could have created an account at Ashley Madison with the address of barack.obama@whitehouse.gov, but it wouldn’t have meant that Obama was a user of the site,” security expert Graham Cluley noted.

As the information becomes more and more accessible to regular internet users the world over, another cyber expert offered a note of warning: