Hackers posted the complete user database of Ashley Madison, the popular adultery website, on the dark Web on Aug. 18, which has since been uploaded to popular peer-to-peer Bittorrent websites.
The 9.7 gigabyte trove of data includes the names, email addresses, and financial information of over 33 millions users, although many of the accounts are fake.
“The Impact Team” had disclosed its breach of the site’s database in July, and threatened to dump that data on the Internet unless the company shut down Ashley Madison and its sister site, Established Men.
“Avid Life Media has failed to take down Ashley Madison and Established Men,” the hackers said in a statement. “We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.”
The hackers were motivated by Ashley Madison’s unscrupulous practice of charging customers extra for the “Full Delete” option that wipes all of their personal information on the website, but refrains from actually deleting that data.
The hack not only uncovered that the “Full Delete” option was a sham, it also contradicts the claims Ashley Madison’s CEO repeatedly made about the site’s record keeping practices.
“If a user deletes their account, he or she is not just taken out of search rotation: Every point of exposure is fully erased, even messages in someone else’s inbox. Nothing is kept on a server or saved in any files,” Noel Biderman said in 2013.
However, the database appears to have information on more than a quarter million users whose accounts should have already been deleted.
Since the hack was made known in July, a number of fake data sets were released onto the Web, but researchers said that the latest dump is authentic.
“The database dump appears to be legitimate and contains usernames, passwords, credit card data (last four digits), street addresses, full names, and much, much more,” TrustedSec, a security consulting firm, wrote on its blog. “It also contains an extensive amount of internal data, which looks like the hackers had maintained access to their environment for a long period of time.”
The data dump was created on July 11, according to the security blog Hydraze, so Ashley Madison users who made their account after that date are not affected by the hack.
Avid Life Media, Ashley Madison’s parent, said in reaction to the data dump that it would continue its cooperation with law enforcement agencies to investigate the attack.
“We will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business,” Avid Life said in a statement.
The release of the full database of customer emails could spell disaster even for casual users of the website who used fake names. In 2013, Facebook suffered a data breach where the emails of around 6 million users were taken and dumped on the Web, and those who used the same email address on both websites could have their identities traced back to Facebook.
Various Internet communities have already begun to compile and collate the information to make it more accessible to the general public. Users on the 4chan image board began to post lists of emails of Ashley Madison users who were public employees in Britain, and yesterday a Reddit user created a discussion area to talk about the information from the hack, but it was quickly shut down by administrators.