Share This article

Last month, hackers claimed to have penetrated Ashley Madison’s backend security and made off with critical information, including email addresses, client information, the various fantasies of said clients, and credit card billing data. The group stated that unless Ashley Madison agreed to shut down, they would release the trove of records online. Normal dating sites don’t typically attract this kind of ire, but Ashley Madison differentiates itself from the typical OKCupid or Match.com site by explicitly marketing to people who want to cheat on their spouses.

Ashley Madison has been previously accused of failing to delete user data and charging $20 to perform a marginally more effective deletion, doesn’t inform users that they may be contacted by computer-generated profiles for “entertainment” purposes, and has a significant gender imbalance issue (70% of site users are men) that isn’t typically explained to new customers. These issues, combined with alleged security mismanagement, are supposedly why hackers working under the name of The Impact Team targeted the site. As of today, the entire 10GB database is available for download via a Tor onion site.

Security analysts and researchers have already begun combing through the data, which includes information that shows an estimated 15,000 .mil and .gov email addresses in the millions of other consumer records. So far, credit card records don’t appear to have been stolen, just some of the information, but it’s not clear what might be lurking in other areas. Ashley Madison might actually get strong marks in one regard; Wired reports that the site used bcrypt to shield its user accounts. Bcrypt is a much slower encryption method than some of the others in wide use and was designed to be difficult to crack. Difficult, however, isn’t the same thing as impossible — weak passwords should still receive some protection from Avid Life Media (the owner of Ashley Madison)’s choice in encryption methods, but it’s not going to prevent people from penetrating files over the long term.

Impact Team defended their decision to release this information by placing most of the blame on Avid Life Media itself. Ashley Madison claims to have secured its websites and databases from future intrusion, but of course that’s going to be cold comfort to anyone already hacked in this attack. There’s no word yet of any particularly juicy finds, and since Ashley Madison didn’t perform email verification, it’s always technically possible that people lied to preserve their own identities when signing up for the service. Even so, this information could send shockwaves through a lot of marriages over the next few weeks and leave divorce lawyers whistling all the way to the bank.

Read more http://www.extremetech.com/computing/212552-hackers-expose-10gb-database-of-32-million-ashley-madison-subscribers-divorce-lawyers-cheer