Hackers who repeatedly issued threats of revealing private customer information from extramarital hookup website Ashley Madison have now made good on their promise by posting nearly 10 gigabytes of a data dump containing Ashley Madison users’ information on the dark web.
Wired reports that hackers who were responsible for July’s infamous data breach of cheating site AshleyMadison.com have carried out their threat by posting a 9.7 GB data dump online, late Tuesday.
Data researchers discovered that the files from the data dump include:
- Account details and log-in data for nearly 37 million users.
- Credit card details and other payment transaction information, from 7 years ago.
- Names, email addresses, street names and other information of users on the website.
Related article: Online Dating Site Ashley Madison Hacked
In a statement released to announce the availability of a torrent containing the breached data, the hackers had this to say:
“Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.”
Wide-eyed researchers from Wired rummaging through the data also discovered that there are about 15,000 .mil or .gov email addresses.
The hackers also add the presence of someone’s email address in the files doesn’t always mean that they’ve had an affair, implying that they may have been trying to. Notably, the website does not validate a user’s email address, according to multiple reports.
Elaborating on this, Graham Cluley, a security blogger says: “I could have created an account at Ashley Madison with the address of firstname.lastname@example.org, but it wouldn’t have meant that Obama was a user of the site.”
Related article: Ashley Madison Responds to Breach, Offers Free Account Deletion
Crucially, account passwords released in the data dump currently appear to have been hashed with the bcrypt algorithm for PHP. Despite this being a secure way to store passwords, security researchers believe that hackers are more than capable in ‘cracking’ these hashes to uncover the original password of the account holder. Moreover, private correspondence to and from the account can also be hijacked by hackers if the accounts are still online.
In a statement released by Avid Life Media, the parent company of AshleyMadison.com who directly addressed the release of the data in the wild, they said:
“We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort.”
“This event is not an act of hacktivism, it is an act of criminality.”
This story will be updated as it develops.