HACKING

Ashley Madison Cheat Sheet: Everything You Need To Know About The Data Dump

The details behind the data leaked by hackers from affair website Ashley Madison

Aug 19, 2015 at 1:00 PM ET

Hackers have finally released personal information on about 32 million user accounts from affair website Ashley Madison, a month after threatening to divulge the names and email addresses if the site didn’t go offline. Here’s what we know so far.

The data was released as early as Sunday

The data, which includes names, usernames, email addresses, phone numbers, credit-card information and transactions dating back seven years (Hydraze & Friends Blog), was released as early as Sunday on Reddit, the deep web and various torrent file-sharing services. (KrebsonSecurity)

It consists of data on about 32 million users

The leak amounts to a 9.7 gigabyte SQL database of information and includes data on some 32 million users. Some 28 million of those users are male, with just five million women and two million accounts have no identifiable gender, according to a Vocativ analysis.

The data also includes profile captions and a range of other identifying information including age, eye color, height, weight, preference for men or women and whether or not the user drinks alcohol or smokes.

The data includes emails linked to the White House, NASA and the Vatican

Lots of users appear to have used work email addresses to sign up for Ashley Madison, with reports claiming 15,000 of these are U.S. military and government addresses, including those of executives in high-level positions. There are also email addresses linked to the White House and NASA, as well as the Vatican and the United Nations. (Sky News)

Passwords are encrypted but may still be crackable

Passwords in the leak appear to have been encrypted using one of the most secure methods, called the bcrypt algorithm for PHP. However, the CEO of security website Erratasec, Robert Graham, said “hackers are still likely to be able to ‘crack’ many of these hashes in order to discover the account holder’s original password.” This means hackers could target accounts that are live and pull further data, including private correspondence with other Ashley Madison users. (Wired)

Users really are from all over the world

The city with the most Ashley Madison accounts is Sao Paulo, Brazil, with almost 375,000 users, followed by New York with nearly 270,000, and Sydney with 250,000. Toronto, home of Ashley Madison’s parent company, Avid Life Media, is the fourth-biggest market, with almost 223,000 users. (Dadaviz)

This isn’t the first time data has been leaked

Since the hacking group Impact Team released a sample of the information on July 19 along with a threat to release the full database, there have been “30 to 80” data dumps on a daily basis that claimed to include Ashley Madison user data, according to Ashley Madison’s founding chief technology officer Raja Bhatia. (KrebsonSecurity)

Hacking experts think this batch of data is likely real

The data on about 32 million users roughly correlates with the customer count quoted on AshleyMadison.com of 38 million. Hacking expert Per Thorsheim claimed that some credit-card information in the data is “still valid” and in “daily” use. The website Krebs on Security, which reported the first details of the hack on July 19, spoke to “three vouched sources” who confirmed they found their own information and last four digits of their credit-card numbers in the database. They also stated that a series of “free” accounts created before the hack took place were present in the database. (KrebsonSecurity)

Avid Life Media has confirmed the data’s authenticity

Spokesman for Avid Life Media Paul Keable told Reuters on Wednesday: “There has been a substantial amount of postings since the initial posting, the vast majority of which have contained data unrelated to AshleyMadison.com, but there has also been some data released that is legitimate.” However, Keable denied that credit card information had ever been stored on the website’s servers. “Furthermore, we can confirm that we do not – nor ever have – store credit card information on our servers,” he said. (Reuters)