18
Aug 15

Was the Ashley Madison Database Leaked?

Many news sites and blogs are reporting that the data stolen last month from 37 million users of AshleyMadison.com — a site that facilitates cheating and extramarital affairs — has finally been posted online for the world to see. In the past 48 hours, several huge dumps of data claiming to be the actual AshleyMadison database have turned up online. But there are precious few details in them that would allow one to verify these claims, and the company itself says it so far sees no indication that the files are legitimate.

Update, 11:52 p.m. ET: I’ve now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it’s been almost exactly 30 days since the original hack. Finally, all of the accounts created at Bugmenot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I’m sure there are millions of AshleyMadison users who wish it weren’t so, but there is every indication this dump is the real deal.

Original story:

A huge trove of data nearly 10 gigabytes in size was dumped onto the Deep Web and onto various Torrent file-sharing services over the past 48 hours.  According to a story at Wired.com, included in the files are names, addresses and phone numbers apparently attached to AshleyMadison member profiles, along with credit card data and transaction information. Links to the files were preceded by a text file message titled “Time’s Up” (see screenshot below).

The message left by the hackers claiming to leak the AshleyMadison.com database.

The message left by the latest group claiming to have leaked the hacked AshleyMadison.com database.

 

From taking in much of the media coverage of this leak so far — for example, from the aforementioned Wired piece or from the story at security blogger Graham Cluley’s site — readers would most likely conclude that this latest collection of leaked data is legitimate. But after an interview this evening with Raja Bhatia — AshleyMadison’s original founding chief technology officer — I came away with a different perspective.

Bhatia said he is working with an international team of roughly a dozen investigators who are toiling seven days a week, 24-hours a day just to keep up with all of the fake data dumps claiming to be the stolen AshleyMadison database that was referenced by the original hackers on July 19. Bhatia said his team sees no signs that this latest dump is legitimate.

“On a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake and being used by other organizations to capture the attention that’s been built up through this release,” Bhatia said. “In total we’ve looked at over 100GB of data that’s been put out there. For example, I just now got a text message from our analysis team in Israel saying that the last dump they saw was 15 gigabytes. We’re still going through that, but for the most part it looks illegitimate and many of the files aren’t even readable.”

The former AshleyMadison CTO, who’s been consulting for the company ever since news of the hack broke last month, said many of the fake data dumps the company has examined to date include some or all of the files from the original July 19 release. But the rest of the information, he said, is always a mix of data taken from other hacked sources — not AshleyMadison.com.

“The overwhelming amount of data released in the last three weeks is fake data,” he said. “But we’re taking every release seriously and looking at each piece of data and trying to analyze the source and the veracity of the data.”

Bhatia said the format of the fake leaks has been changing constantly over the last few weeks.

“Originally, it was being posted through Imgur.com and Pastebin.com, and now we’re seeing files going out over torrents, the Dark Web, and TOR-based URLs,” he said.

To help locate new troves of data claiming to be the files stolen from AshleyMadison, the company’s forensics team has been using a tool that Netflix released last year called Scumblr, which scours high-profile sites for specific terms and data.

“For the most part, we can quickly verify that it’s not our data or it’s fake data, but we are taking each release seriously,” Bhatia said. “Scumbler helps accelerate the time it takes for us to detect new pieces of data that are being released.  For the most part, we’re finding the majority of it is fake. There are some things that have data from the original release, but other than that, what we’re seeing is other generic files that have been introduced, fake SQL files.”

Bhatia said this most recent leak is especially amusing because it included actual credit card data, even though AshleyMadison.com has never stored credit card information.

“There’s definitely not credit card information, because we don’t store that,” Bhatia said. “We use transaction IDs, just like every other PCI compliant merchant processor. If there is full credit card data in a dump, it’s not from us, because we don’t even have that. When someone completes a payment, what happens is from our payment processor, we get a transaction ID back. That’s the only piece of information linking to a customer or consumer of ours. If someone is releasing credit card data, that’s not from us. We don’t have that in our databases or our own systems.”

A screen shot of the archive released recently that many believe is the leaked AshleyMadison database.

A screen shot of the archive released recently that many believe is the leaked AshleyMadison database.

I should be clear that I have no idea whether this dump is in fact real; I’m only reporting what I have been able to observe so far. I have certainly seen many people I know on Twitter saying they’ve downloaded the files and found data from friends who’d acknowledged being members of the site.

Nearly every day since I first reported the exclusive story of the Ashley Madison hack on July 19,  I’ve received desperate and sad emails from readers who were or are AshleyMadison users and who wanted to know if the data would ever be leaked, or if I could somehow locate their information in any documents leaked so far. Unfortunately, aside from what I’ve reported here and in my original story last month, I don’t have any special knowledge or insight into this attack.

My first report on this breach quoted AshleyMadison CEO Noel Biderman saying the company suspected the culprit was likely someone who at one time had legitimate access to the company’s internal networks. I’d already come to the same conclusion by that time, and I still believe that’s the case. So I asked Bhatia if the company and/or law enforcement in Canada or the United States had apprehended anyone in relation to this hack.

Bhatia declined to answer, instead referring me to the written statement posted on its site today, which noted that investigation is still ongoing and that the company is simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.

“This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities,” the statement reads. “We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster.”

Readers should understand that if this dump does turn out to be legit, that just finding someone’s name, email address and other data in the archives doesn’t mean that person was a real user. As the above-mentioned Graham Cluley points out, AshleyMadison never bothered to verify the email addresses given to it by its users.

“So, I could have created an account at Ashley Madison with the address of barack.obama@whitehouse.gov, but it wouldn’t have meant that Obama was a user of the site,” Cluley wrote. “Journalists and commentators would be wise to remember that the credentials stored by Ashley Madison must be considered suspect because of their shonky practices, even before you start considering whether any leaked databases are falsified or not.”

Tags: , , , , , ,

376 comments

  1. I’ve confirmed on a couple of sites that my burner email address is in the data. But my PayPal email address is not, and I never paid AM directly via credit card, I only used PayPal. Since AM doesn’t keep your name in your actual profile, my guess is that my real name and address are not in the dump. I’d love to confirm, though, but i cant find a name searchable version. And that torrent is legally (and probably virally) toxic – might as well download child porn.

    Anyone know where to search by name?

    • Can you explain why that torrent is legally toxic? I’m kind of new to this and I want to understand why you couldn’t download it and as u said it would be the equivalent of dl-ing child porn. thanks!

    • Relax. If you paid with PayPal, your real name and associate email are *not* in the dump. All other info, such as AM username, burner email, profile blurb, kinks etc. are. Go have a beer, life is too short. PS. Don’t cheat on your SO ever again.

      • ExtenuatingCircumstances

        Can anyone else confirm what Robot posted here regarding the possible anonymity of paid AM users who paid via PayPal?

        • No Paypal data on the dump.

          I put all the .csv files into a single MySQL table to easily look at the data – all the files are formatted the same: Only users who paid by using a CC directly on Ashley Madison are visible. If you used a third party service such as Paypal then you are safe.

      • Thank you!! Put me at ease as I only used Paypal!!!

  2. over 15,000 accounts were affiliated with a .gov or a .mil address.

    Some 6,788 accounts used us.army.mil emails, while the Navy and the Marines accounted for 1,665 and 809, respectively.

    45 to the Department of Homeland Security.

    According to the data dump, there are 44 accounts using a WhiteHouse.gov email address. However, White House officials actually use a different domain, eop.gov, noted The Hill.

    And best of all: “It appears to contain addresses, as well as GPS coordinates. I suspect that many people created fake accounts, but with an app that reported their real GPS coordinates,”wrote Robert Graham, CEO of Errata Security, adding that the data in the dump “appears legit.”

    https://www.rt.com/usa/312875-govt-emails-ashley-madison/

    So they even have your gps data

    • What about folks who used iTunes or Apple in the app to buy?

      What about photos or chats

      • Did you read the arstechnica link and the rt link? It really doesnt matter because even if they dont have your itunes etc and you logged in they could still have your gps data. I dindt heard about photos or chatlogs so that i wouldnt know but they have the internal emails from the company. Also i think this is more about trying to destroy the company instead of going after the users.

        • Understood. I have seen the info and the gps was smack in the middle of a zip code which I gave as a false one

  3. It’s all very interesting.

    And by interesting, I mean in the Chinese sense of the word. What I actually mean, is terrifying. Using various methods, I’ve discovered my name and credit card is in the data. This presumably means my postal address and zip is too.

    I’m not asking for sympathy. However, in my case the truth of the matter is I joined that site when I was going through a rough patch in my marriage. I messaged a few people, but never met up with anyone, nevermind had extramarital sex. It was exciting for a while, but ultimately I stopped using it. My marriage is now good.

    I was particularly naive about the credit card info – I know that now.

    But I have children. They live at that address. I’m absolutely terrified that it could be used to do them harm. This feels like a ticking time bomb and I’ve embarked on a road which has only one ending.

    • I’m in the exact same boat as you and I’m terrified. I never cheated, didn’t meet or chat with anyone, only a few relatively innocent commiserating emails all during a period when my wife and I were talking about splitting. That was years ago and now I feel like my life is about to completely unravel, ESPECIALLY for my kids. I’m disgusted with my self, but the hackers had no right — moral or otherwise — to do this.

    • sickening. You deserve everything that comes your way. Too bad you threw your wife and children under the cheater bus you drive around town. I suggest you become the father and husband your family needs you to be. The truth always comes out in the end. Always…..

      • The thing is Bob, I’ve already told my wife.

        So now my question for you is – do my kids deserve it? Or is their potential suffering just necessary collateral in order to torment me?

        Struggling to see the bedrock in that moral high ground you’ve found yourself on, Bob.

  4. For you information: On Thu, 20 Aug 2015 14:51:13 (UTC) I received a bogus DMCA takedown notice regarding https://sintonen.fi/ashley-madison/ website.

    Apparently Avid Dating Life Inc. (“Avid”) has problems understanding geography and copyright law (Finland and Germany are still not part of United States of America. Also I do not host any copyright infringing material or violate Avid’s Intellectual Rights in any way).

    No action will be taken and the service will continue to be available as usual.

    • Sir, do you know if the transaction files contain personally identifiable information for those who paid via PayPal? Thank you

      • I’m a user of the site and downloaded the data.
        Here’s what I have found out:

        1) There are 4 major data sets in here: 3 contain member/profile data and 1 contains a comprehensive list of all credit card transactions from March 2008 through June 2015.

        The Credit card transaction data has real names, real mailing addresses, last 4 digits of the credit card and type of credit card, the email associated with the account, the “member number”, and the transaction amount and date.

        The credit card data is all in CSV files (one for each day) and are super easy to examine by opening in Excel. To find the right files to open, use grep.

        1) I do not believe that any paypal transactions were in the credit card transaction archive. I checked with several of my AM “friends”, and if the ones who paid with paypal don’t have their transactions listed anywhere in those files (not their real name, nor their AM throwaway email, nor their paypal account email).

        Those poor SOBs (like me) who paid via credit card, the transaction data is all in there.

        2) While the credit card data is easy to search, it does not automatically get you the person’s profile. You’d have to get all this in a database and query it by “joining” the email or membership ID in the CreditCard Transaction table with one of the other data sets with profile info.

        So far, I’ve not found my email or membership ID in the profile data dumps.

        3) I don’t believe there are any photos or messages between members in these data dumps. However, my examination of the data is slow because my personal laptop is pretty underpowered for going through such huge datasets.

        • Why would a female user on AM have credit card transactions?

          • Why pay as a female? Here:

            1) If you want that “full delete”, where all your photos and notes are removed from other users’ message boxes, you had to pay $19.

            2) I think they might have changed this, but you needed to buy credits to message women. Yes, most of the people messaging women were men. But I wanted to message women too because I am bi. So I bought some credits.

            • Understood. Never personally paid for the full delete because I assumed having a credit card and address on file was more damning than the profile I created.

              • Turns out you were far smarter than me. I’d probably be okay if I had done that because the only transaction about me in the dump is the $19 full delete. For the other credits I bought to message women are not in the dump because I used paypal.

                Ugh.

        • Hmm, I’m not sure I follow.

          My burner email address shows up in searches on haveibeenpwned, but my credit card + name isn’t available on https://sintonen.fi/ashley-madison/.

          I’m not sure what to make of it. I believe I’ll need to get the dump and check everything myself.

          • Ive had the same problem. Ive been searching through the dump for the past 6 hours and haven’t found my email or any of my details. Obviously there is something in there somewhere and I just cant find it. If any one has any tips on how to better search through the dumps I would welcome them. So far I’ve been using Ctrl+F searches and not finding my own details. I tried using TextCrawler to scan through the credit card transaction files and I still have not found a thing.

        • So even if burner email, cc and real name are in there – you’d have to do quite a bit of work to join them to the actual user profile?

    • thank you for your site. Its a troubling time for anyone like us who couldn’t resist signing up to see. If your credit card is found does that mean that they have all of your information even if you did a full delete. address and such?

      • Yes, unfortunately, the data is still there even if you did full delete. Ironically, the only credit card transaction I did with AM pay for was the full delete ($19) because I wanted all my messages to be removed from other members’ message boxes.

        However, that one $19 transaction is the only credit card transaction I did, and the only thing that links my AM profile to my real identity. If I hadn’t done the full delete, I’d be in the clear, because female members are usually free.

    • @yet another leak tester, I used your link and my credit card was a hit. I used this stupid site once because I was bored and it was entertaining. I used my CC one time for the minimal credits. I deactivated account with most credits remaining because fat ladies started sending me stuff. You seem pretty knowledgeable. I’m a pretty regular guy thrown into a database with millions of people and millions of CC transactions. I did use a burner email. How worried should I be? Nobody is searching for me other than me.

  5. I never used the app. Just the website. Will they still have my GPS? I guess they have my address anyway though…

    • At this point we know the leak is real and that they have released alot.
      I would recommend that instead of trying to find out how much they have on you and others, you would do better by demanding that Ashley Madison will inform their costumers what has happened and what they will do (even if they cant do anything about the leak, the least that they can is inform their costumers what they have on them and which data is in the wild now.

      • I burnt the email and closed the AM account. A few years ago. How would they tell me?

        • If you canceled your account anytime from August 2008 forward and paid the “data wipe” fee, all of your billing information is in the transaction db dumps.

    • I’m in the same boat. I used that site once a few months ago and have one CC transaction. I used my personal CC because I was checking out the site out of sheer boredom, not to cheat. I had heard about that site so much I decided to check it out. I bought the minimal amount of credits because you can’t really do anything if you don’t. I did have some pleasantly plump ladies contact me so I deactivated the account with most of the credits remaining which goes to show you how interesting it was. Yes people on there cheated but a lot of people were on there just like me.

  6. Here’s the bogus DMCA notice in its entirety:

    https://sintonen.fi/ashley-madison/bogus-dmca-takedown-notice.php

    Note the mistakes:
    – The service is not hosted in USA or by US company
    – The notice links to incorrect site (the other similar site)
    – The notice demands takedown of an image (there are no images on the site)
    – The notice claims that I host copyrighted material (I don’t, in fact the notice is required to explicitly list the infringing material… it does not, since there is none).

    I can only conclude that Avid Dating Life Inc is in full blown panic mode and is attempting scare tactics to take down anyone or anything regarding this incident. Unfortunately US companies (such as Twitter) are forced to comply with the DMCA notices, regardless of how absurd. No such problem for me, luckily.

    • Better watch out or they’ll shut down your .com or .net address… that you don’t use since you’re not in the US…

      I would guess that their lawyers found existing boilerplate language for DMCA and simply did a copy & paste rather than actually read & interpret what was written (as an added bonus they probably billed AM for time spent reading & interpreting it). In short, they really need to hire a new law firm. A competent one this time.

    • i actually appreciate your service. Let’s you check out an email without revealing anything other than if it’s there.

      My story, I actually created a guest account back in 2006 or 2007 before I got together with my current wife because someone told me cougars hung out there. Never filled out the profile, never did anything but login once and search (no transactions or anything) then thought I closed the account….the women were terrible. this was before tinder etc..I don’t even think I had a facebook account yet.

      I’m sure I’m not the only one who did this…is there a join or last active date field in the data? What are the fields in database format for the account details dump file. How is it sorted by default? I used an email that was valid because it wasn’t a problem for me at the time i registered the account. It’s an secondary email, and someone would really need to search me out depending on what the raw data looks like after it’s imported.

  7. The $250 “affair guarantee” that Josh Duggar paid, which Ashley Madison says “increase[s] your chances of having an affair from possibly to definitely or your money back” and the hackers’ claim that “90-95% of the actual users are male” tells me that Ashley Madison is really nothing more than an escort agency. How else can Ashley Madison “guarantee” an affair?

    • If you give me $500 I’ll guarantee you’ll have an affair too.*

      * This is not a guarantee.

  8. what if you paid through paypal?

  9. I have downloaded the dump via BitTorrent and mined the data as I have the expertise to do so. I can confirm all the earlier reports that it is real, as it does have my account information – although I have never used any real data (address, name, email etc) in any interactions with AM.

    What the dump seems to not have is PayPal transactions, as I was unable to find my original purchase with them two years back. So it would appear that if you only used PayPal to pay them, you are *possibly* in the clear. BUT: I just found out the hard way that if you paid for your credits with PayPal, AM most likely set itself up as a preapproved merchant in your paypal account. How, you ask? Well, I have a couple of paypal accounts, so I just logged in to AM see which one it would prompt me to log in to, to investigate further if that account’s info is in the dump. It DID NOT – the payment just went through automatically! Obviously, as soon as I realized I just paid them again to do my own security audit, I went into the paypal account, and deactivated the preapproval. I *strongly* recommend that anyone who has ever used PayPal go into their account and do the same. Here’s how: when you log in, click on the gear icon on top, then scroll down to the payment settings. Then click on the preapproved payments link. ADL MEDIA should be listed there – make sure the status says Inactive.

  10. I’m in the same boat. I only made one payment when I set it up to have a look around. I never entered any personal information and used a burner email. I used Paypal. So now I’m wondering how much information would be there? I believe Paypal does send you name with the transaction but nothing else. Any idea what might be there?

    • It sends your name and email address with each payment – enough to destroy your life as you know it I suppose, if both are real. Now I myself don’t need a security breach to AM for that to happen – all that’s needed is for my SO to look at the recent charges on the credit card linked to my PayPal account and ask to explain the transaction… though chances are pretty low it would actually happen as I don’t receive paper statements.

      But there’s a way to anonymize your PayPal account which involves migrating it to a business account, then you can use a fictitious name/email address for your payments.

      • Yes, I was concerned that Paypal does send your name and email. But if yours didn’t appear in the dump, then hopefully AM didn’t maintain a record of that information. I only get my statements electronically as well.

        • Great info. I was lucky enough to use the app and never used a laptop or desktop for anything. All purchases were made via iTunes . It looks as if nothing from. Apple or iTunes got sent over as well

        • Interested Party

          I paid by paypal (one-time, 5.5 years ago) and my burner email associated with the AM account is in the dump but my email associated with paypal is not. So it appears that AM either did not receive the paypal email or did not store it.

      • So I’m curious, what of your details are visible in the dump data? As you used Paypal I assume no name and no main email address. Was it only the account information you had filled out when you set up your account?

        • I didn’t use PayPal I ised iTunes and apple was adamant weeks ago and recently that no data gets sent to third party. Any info that was on your page is what is in leak I believe

  11. Excellent information, thank you! I had only paid with Paypal as well and only one transaction. I checked my Paypal account and saw ADL Media but it was already inactive. Very helpful information. Please post any updates if you learn any more. Greatly appreciated.

  12. Trying to post again here. Thankfully I used iTunes via the app to buy credits. Never used PayPal or anything like that. So I believe I’m in the clear according to Apple. Not to mention the gps wasn’t even close to accurate as to where I made the purchase . I saw my info in the leak and it was all accurate but inaccurate if you catch my drift

  13. Any tips on what to expect if one’s name and address is in the file? All email addresses were burners, but my charges (including the BS removal fee) are clear as day in there. I’m expecting some form of blackmail via email (maybe postal?). Wonder if I need to expect letters arriving in the mail from the moral police.

    Any suggestions about damage control? My spouse had given me the green light as long as she didn’t know about it. I’d prefer to keep things under wraps if possible.

    I’m guessing there’s not a damn thing I can do except wait…for years upon years.

    • Just close the credit card you paid with, and pretend it never happened. No sense in living in fear… you probably don’t have as much to lose as a lot of others whose data was leaked anyway.

      • You’re right about not living in fear, but I’m a paranoid by nature. The CC was actually closed within months of that charge, so I have no worries from that point of view. It’s just the feeling that yeah, I screwed up and these chickens are going to come home to roost. Nobody to blame but myself, but it’s still a crummy thing for the hackers to do to people.

  14. AND the second dump is out there:

    Hackers behind the breach of the Ashley Madison cheater’s dating service have released a second, much bigger dump of sensitive materials that includes a massive amount of e-mail from its parent company’s CEO Noel Biderman.

    Interesting enough—if this turns out to be legitimate which it in all aspects appears to be—having full source code to these websites means that other hacker groups now have the ability to find new flaws in Avid Life’s websites, and further compromise them more.

    If there was any question to the validity of the data before – those should be removed now.

    And still there is no word from Ashley Madison

    Source:
    http://arstechnica.com/security/2015/08/2nd-dump-from-ashley-madison-hack-is-2x-includes-ceo-e-mail/

  15. Don’t we have to live in fear? It’s just matter of time before everyone knows that you were on that site…

    • Yep, it is just a matter of time. When all of your friends, neighbors, and co-workers know about your private life, then you’ll just have to own it. Don’t create a drama about it and wait for it to blow over. Sucks, but this toothpaste sure isn’t going back in the tube.

  16. Im sure appreciating all the info here. I don’t have the technical expertise to download the dump (also concerned about the legality of that). But I’m similar to a few others here. I checked the fake email I used setting up the account and it appears to be there. But I did use PayPal and that email address comes up negative. So, I’m hoping the PayPal information is not involved. I really wish I could check the dump but I don’t think it’s legal?

  17. Just thinking, with so many real names tied to legit emails, the bad actors out there are sure going spear phishing, if your on the list opening emails may be a bit of a lottery!

  18. Hope you all know ur F**ked, i have assemble all the datasets and its amazing what info is in here, be prepared for facebook and social media pages for your area posting your information. You all deserve it, I feel bad for your spouses

    • Thanks for trolling – I am sure not only have you not assembled anything, you don’t even have the raw data at your disposal, or the minimum skills needed to acquire it.

      Why was this message not removed by the moderator, anyway?

  19. People dont worry too much about blackmail etc, the only ones other people will probably out or blackmail are the people who signed up with their .gov and .mil email for obvious reasons.

  20. I paid for service using my credit card with my full name and street address. I assume I’m pretty hosed?

    • Also, I presume that all of this data will eventually be user-friendly searchable at some point?

      • Hopefully not. Anyone who does that makes themselves as sleazy as the hackers, AM, or its userbase…Depending on your point of view as to which of the three groups deserves blame.

        Seriously, why push for more public shaming that has already been done?

  21. I agree with Andres. Won’t names associated with addresses be searchable for everyone? And then someone just has to type in a city (for example) and the list of people who used cc will come up

    • This will all die down eventually. The public has a short attention span. And even if there is a site that isn’t taken down, people will need to be actively searching for it and then searching for you. Just seems like too much effort and then the legality of broadcasting to the general public you have a database full of stolen information. Unless you’re affected or searching for a spouse, who the hell cares what people are doing in their personal lives. People who aren’t affected are not at home right now thinking about Ashley Madison.

      • soon, you will be able to search by zip code, and nosy bodies in your neighborhood will then go down the list to see who in their zip code is listed. We are screwed and I never even screwed anyone.

      • On balance, I’m happy to see this breach.

        I expect that a lot of people will be burned in some way by this. What, 39 million or so, depending on the story? That is a lot of human suffering, so how on earth could I not mind it?

        The thing is, large-scale breaches happen all the time. I work in the security industry, and I will be the first to admit that I simply cannot reach some people about the possible consequences of their actions. Seriously, if I had brought this scenario to you before the fact, would you have considered it as credible, or written me off as a security nut-case?

        A story like this *will* reach a serious portion of that audience. And being written off as a security nut-case gets so very old, day in and day out, by people who are vulnerable, but absolutely *will not listen*.

  22. Once the dust settles on this one ( from the looks of the comments it might be a long time) it will be interesting to see if this company survives in any form.

    I’d like to think it is curtains for AM – if the company were public I’d be on my brokerage account right now trying to locate shares to short it to zero.

    Compare with the Target and Stratfor credit card heists – arguably these were minor in comparison to AM. Both were embarrassing but not devastating to their customers the way this is. The usual damage control strategy for a major breach is to end out some mea culpa letters, fire the CTO and offer free credit monitoring.

    That ain’t gonna cut it here.

    In this case the “service” offered by AM has been revealed to be completely incapable of delivering the advertised discretion, not to mention the fact that the data dump reveals 90% of the clients were men and the CEO is a pathological liar.

    I particularly find amusing the way the company is spraying out DMCA notices like a drunk with a fire hose. Those notices are not worth the paper their written on outside the US and we all know what a stupid strategy it is to try to sue to stop the spread of information (it worked so well for the RIAA!)

    The only thing that might save AM is the fact that its clients will be too embarrassed to litigate in a class action or other suit.

  23. Folks, this is bad. Very bad. No way around it.
    Yes, I agree, the public has a short attention span, but in the meantime the damage will be done. It only takes a few internet savvy friends and family to out you, then the word will spread. I joined the site out of curiosity with no intention of cheating on my spouse. And now here I am, on pins and needles, scouring the internet every minute, losing sleep, waiting to see if a site pops up where one can easily search by name or address.
    Of course I hope that doesnt happen, but im preparing for my scarlet letter.

    • Same here. This is so depressing. I never cheated. I’m claiming stolen credit card. Used it once.

  24. my contact info was one time,
    and my cc was one time too, with no name on the card.
    where could i d/l the payments csv, to see whether the full card no is there?

  25. A few thoughts from someone caught up in this BS and hopefully some words of encouragement for my fellow AM friends. First, while this all seems like “oh sh*t, the sky is falling” I think the reality of getting actually outed in this thing is slim, unless ur a celeb, politician or someone w/ some kind of fame. This dump is massive and unles you have an above average aptitude w/ the web/data it’s almost impossible to mine. Yes there are linked searchable databases but Avid appears to be doing a good job of shutting them down almost immediately. Will there be one someday, possibly, but it’s still gonna require a specific search specifically for you. So unless ur already under suspicion or in divorce proceedings you should be ok. This info will live on the dark web and that’s a very narrow audience. I’m more concerned with a complete identity theft right now. If any expert on here has another opinion, please feel free to contribute.

    Ps. I joined when Avid was a prospective client (I work in online media) years ago and “browsed” but did nothing. Still I’m out there so good luck to us all.

  26. How do you find the dump to search it for youreself?

  27. You all need to relax! If you never cheated then you have nothing to worry about! Now if you actually signed up, paid money and never cheated that has some explaining to do if caught. If you cheated, well sucks to be you.

    I like probably 15 million other users signed up like a boss with fake info but did use a old old email account, but not a soul in this world knows it or it’s mine. Never paid a cent, or uses CC, but my Email came up. The only thing that bugs me out is all this GPS zip code talk….really? It will all be over and never talked about again in a few months peeps!

  28. This is amazingly laughable! You people need to wake up!

    Who cares who had sex with who or who tried to? Everyone has sex and/or sexual desires. The only reason for any of this to used for blackmail or anything embarrassing is to prove to YOU that YOU already have something that means something to YOU. There is nothing about Ashley Madison that is required to show you this unless your just so dense and thick in the head that you can’t see it. When people don’t care anymore, it doesn’t matter. But the mere fact that this discussion reaches the lengths that it does should show you that you actually DO still care. So grow up and deal with your life as you have made it within the choices that YOU have made.

    There is so much more going on here and you people seem completely blind to it. This has NOTHING to do with any particular person, atleast as far as anyone not connected to the hackers themselves. Maybe the just got pissed off about something that someone did to them. But even that really is NOT the point.

    Don’t you people see? This is a database that can be used to create or add to a dossier on other people. All you have to do is put two and two together. Everything you do in this life is being tracked, monitored, and recorded. Just what is it that you really think all those server farms are for?

    Haven’t any of you been reading this website at all? We have real problems here and THIS is what your worried about?????????

    How on Earth can we fix (or even grasp) our security problems when the only thing any of you are concerned with is not getting caught trying to get off?

    I find it funny that your all so concerned about what the world will learn about you from Ashley Madison and yet most people couldn’t care less about every little detail of their life getting plastered all over Facebook and Twitter. WTF!!!

    How can any of you honestly assert any level of common sense regarding credit card hacks, department store breaches, ATM and gas pump hacks, or keeping the files on you computer virus free when you so obviously get so careless with your life to become part of Ashley Madison and all it’s insanity? Never mind that it is primarily about cheating (on the surface anyway).

    You are ALL being played!

    If your going to cheat……don’t be so naive, so reckless, so incredibly stupid as to use a website like Ashley Madison. This is about as ridiculous as online gambling.

    There are some real questions that need to be looked at here and all anyone can think about is themselves and their own idiotic mistakes. Is it any wonder things like Enron takes place? Is it any wonder Target gets hacked? Is it any wonder computer virus infection spread to tens of thousands of machines within seconds? Is it any wonder we have Jerry Springer? Is it any wonder we have such a high divorce rate, such high levels of drug and alcohol use, and such high levels of suicide?

    Wake up and deal with the problem!

    • “This is amazingly laughable! ”

      I have not had an account at Ashley Madison to get that out of the way.

      This is not funny in ANY way. I get what you’re saying about most people being stupid enough to believe that ANY internet activity is 100% secure, but the “they deserved it” vigilantism I see in many places is absolutely disgusting.

      For those who used .mil email addresses, adultery in the military is a court martial offense. Who knows how many families and careers will be destroyed from that alone.

      Then, think of all of the many families that may be destroyed that otherwise would not have been, how many more children of divorced marriages there will be.

      Finally, and most importantly, considering how many major hacks there have been, the list is the perfect vehicle to target individuals for destruction, placing personal data from other hacks into that list, perhaps overwriting the name, address, email, last four credit card digits portion of some actual member with that data or simply creating the entry if any site-specific member data created for an account can be synthesized.

      I know my information is out there. Besides being hit with credit card fraud, a monitoring service I use has indicated on several occasions that they found my information on data theft sites.

      • I’m not disagreeing. This is serious.

        But, continued use of Facebook and Twitter cannot be ignored. There are threats to be found online. Ashley Madison is only one. There is a reality to be faced when it comes to the Internet. Too many people get too lax in their daily lives and operate in a way that sets them up. I am not suggesting that people get what they deserve. I am suggesting that people wise up to what is really going on. That this the point in this website to begin with (I think).

        I knew about this site but had forgotten about it till this fiasco.

        I know there is a lot to lose…..that is why sites like Ashley Madison need to be avoided at all costs. It does no good to tout updates and get upset about Target while at the same time being part of AM.

      • The one thing I find enlightening about the Ashley Madison leak is that the hypocrites like Josh Dugger and the CEO of John Grays empire Mars Venus Coaching are on the list and being exposed. If your a cheater don’t go out and promote yourself as a devout christian or promote books and seminars on monogamous relationships when your out screwing around on your wife. Don’t profit off of lying and cheating and putting yourself out there as something your not.

      • “For those who used .mil email addresses, adultery in the military is a court martial offense. Who knows how many families and careers will be destroyed from that alone.

        Then, think of all of the many families that may be destroyed that otherwise would not have been, how many more children of divorced marriages there will be.”

        Well then I guess they should have thought of that before they decided to try be adulterers, no?

        • Even using the A-M site may be a violation of Article 134, the General Article, of the Uniform Code of Military Justice according to The Manual For Courts Martial 2012 at http://www.apd.army.mil/pdffiles/mcm.pdf (800+ page PDF)

          Article 134, sub paragraph 62(c)(2)(e) specifically addresses the misuse, if any, of government time and resources to facilitate the commission of the misconduct.

          Let us not forget, for officers, and officers-in-training, there is also Article 133 Conduct unbecoming an officer and a gentleman.

          So those who serve get heaps of charges and the police and government people get less?

          More and links to the relevant MCM sections
          http://nc3.mobi/references/2015-detail/#20150824am

        • “Well then I guess they should have thought of that before they decided to try be adulterers, no?”

          But they shouldn’t have their lives and the lives of their families destroyed because of it, no? Perhaps the next time you make a poor choice or decision that might cause some catastrophic event in your life others who don’t actually know you will be similarly sympathetic and say you deserved it.

          • “But they shouldn’t have their lives and the lives of their families destroyed because of it, no? Perhaps the next time you make a poor choice or decision that might cause some catastrophic event in your life others who don’t actually know you will be similarly sympathetic and say you deserved it.”

            What is the point in rules, oaths, and agreements, whether they be made in regards to marriage or the military, if nobody should be held accountable for breaking them? Is that fair to all the partners who are being kept in the dark about their spouse’s extramarital affairs and would rather not live in a relationship based on lies? You speak as if the people who have been exposed are the only victims in this case and that they have done no wrong, when in fact they victimized their own families and relationships (as well as those of others) the moment they registered on a site to look for affairs. Nobody forced these people to seek affairs that could prove damaging to their families, they knew what they were doing was something that would break the trust and commitment of their relationships (as well as those of others) and they made the decision to do it anyways. It was their own mistake, nobody should feel sorry about the genuinely guilty having to live with the consequences of their actions. All truths come out eventually, live and learn.

    • It’s not laughable.
      This is important data, doing data mining and you will find pattern.