Stolen data from the Ashley Madison infidelity dating site includes approximately 10,000 email addresses belonging to government officials or workers with .gov addresses. The Daily Beast reviewed the files and found accounts linked to the email addresses of members of the National Security Agency (NSA) and the Department of Justice (DOJ), as well as numerous officials from the Australian and British governments. The Daily Beast, however, cannot verify the authenticity of all the accounts yet.The data dump included 36 million email addresses for 33 million accounts, along with user names, first and last names, the last four digits of credit cards, personal IP addresses, street addresses, and phone numbers for a large number of them. In total, the hackers released 10GB of compressed data—a staggeringly large amount.On Tuesday night, Ashley Madison’s chief technology officer, Raja Bhatia, gave an interview to tech blogger Brian Krebs claiming there’s no evidence that the data dump is the real deal—a murky stance the company has been trying to sell since the hack was revealed last month. But The Daily Beast managed to make contact with six of the names on the list who confirmed their identities.
The leak not only included user data but also internal company documents pertaining to Ashley Madison and its parent company Avid Life Media, including Ashley Madison execs’ PayPal accounts, corporate passwords, company memos, loan agreements, a list of banks (with corresponding account numbers), office seating charts, and an internal document titled “areas of concern—customer data” that outlined how ALM was worried about “data leak/theft issues” and “system integrity,” such as a “web app remote code exploit in our codebase resulting in a man-in-the-middle attack where a hacker gains access to our customer’s billing/credit card information.”
The breadth of the internal files, along with the confirmed identities of several of the names included in the hacked data released online, strongly suggests that the data is legitimate, and that a hacking collective that calls itself the Impact Team has indeed carried out a full-scale hack on Ashley Madison the likes of which we haven’t seen since last year’s Sony hack.
While ALM and Ashley Madison have been tight-lipped about the suspected source of the breach, ALM chief executive Noel Biderman told Krebs last month that he suspected it was the work of a current or former employee.
“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman told Krebs. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
Back on July 15, tech blogger Brian Krebs revealed that a hacking collective calling itself Impact Team had “completely compromised” adultery website AshleyMadison.com’s user databases, financial records, and more. According to Impact Team, one of the reasons they targeted Ashley Madison is because of its “full delete” feature—where, for the price of $20, the site said it would completely wipe all of the user’s data. The hackers claimed that this function, which allegedly netted Ashley Madison’s parent company ALM $1.7 million in revenue in 2014, was “a complete lie,” and that user data remained on their database.
Well, it looks like the hackers have been proven correct. On Tuesday evening, Impact Team released all of the hacked Ashley Madison data online, along with a message:
“Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data. Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world's biggest affair site, but never had one. He just tried to. If that distinction matters. Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
In the meantime, there are still millions of names and corresponding email addresses to sift through, including “many rich and powerful people,” according to Impact Team. Stay tuned.