The personal data of more than 37 million people was posted online Tuesday after hackers attacked AshleyMadison.com, an online dating service for married individuals to cheat on their partners, security experts confirmed to BuzzFeed News.
The hackers (or hacker), calling themselves The Impact Team, promised to release the "secret sexual fantasies and matching credit card transactions, real names and addresses," in a threat that now seems to have been fulfilled. Security experts who reviewed the data said "there was every indication that the data is real," and urged anyone who has used a credit card on the site to immediately contact their bank.
Troy Hunt, a security researcher who operates the website Have I Been Pwned?, which allows people to check if their email addresses are being hawked, told BuzzFeed News he was updating his site with the emails of those breached in the Ashley Madison leak.
"We have multiple indicators that this is legitimate. There are things here that are just too hard to fabricate," said Hunt. "We haven't seen yet what the attack vector was used to hack the Ashley Madison site. It will be very telling if there was a low-hanging vulnerability, and that the site exposed all its millions of users by not securing something straightforward."
Brian Krebs, who runs the well-known blog Krebs on Security, wrote that he had received independent confirmation of the authenticity of the breach.
In either case, the breach could be a watershed moment for those advocating for greater internet privacy, added Hunt.
"Certainly for those involved it will be a watershed moment. Perhaps at the very least it will start some discussion about the expectation of privacy online, and using real identities on these types of services," said Hunt.
Among the millions of email addresses posted online are many accounts linked to .gov and .mil domain names, reserved for people who serve in the government and military, respectively. Many company email addresses were also used, ranging from defense contractors to Silicon Valley startups. Ashley Madison, however, did not require email accounts to be verified and there is no way to check if the addresses entered on the site were done so by their actual users.
Ashley Madison's parent company, Avid Life Media, released a statement which is available in full below.
Brendan Klinkenberg is a tech reporter for BuzzFeed News and is based in San Francisco.
Contact Brendan Klinkenberg at email@example.com.
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Contact Sheera Frenkel at firstname.lastname@example.org.
Got a confidential tip? Submit it here.