Summary of Ashley Madison Hack

Tina Turner had a hit many years before her trip to Thunderdome when she asked, “What’s love got to do with it?” After being married to Ike, maybe she really felt that way.

Supposedly other women do too. If you believe their marketing, a vast number of unhappy and promiscuous women are available on the Ashley Madison website for any man married wanting a fling. This website whose motto is: “Life is short, have an affair” was recently hacked.

Some readers many ask why I am spending time on this data breech of a sleazy website. Why? Because thus far, this is the biggest known data breech in the world…ever. Besides, how many websites do you know that dedicate themselves to violating one of the Ten Commandments.

These guys are dirtbags. They are marketing adultery with a money back guarantee.

Affair Guarantee Program Rules

•Under the Affair Guarantee Program, (the “Affair Guarantee Program” or the “Program”) if you don’t find someone within the initial 3 months after purchasing the “Affair Guarantee” Membership Package, we’ll refund you the amount you paid for participating in the Program (the “Refund”).

• The Guarantee Program is available for a limited time only, and open to anyone.

Of course, a certain amount of fine print applies.
Ashley Madison Guarantee

The cost of sin is high. In this case $249 CDN/$199 USD
Source Article

A year ago, the website was claiming 13 million active users. Oh, no cost for women to join. Prices above are the rates men are willing to pay.
Source Article

Distribution of Ashley Madison users by city.

Graph Source

Those with memberships were promised that for a fee of $19, their account would be deleted.

Ashley Madison sold the delete feature for $19, The Guardian reports, promising users it would remove their profiles from the site, including search results. BuzzFeed discovered that the site made close to $2 million for the service in 2014 alone when 90,000 requested such profile deletions.

However, it turns out that Ashley Madison kept a treasure trove of information for each user that’s good enough to identify that person. The company did remove the real name, username, email and profile information as promised but it retained sensitive data that can be used to find out whether a person may have had an account on the extra-marital affairs site.

The company “retained the date of birth, city, state, post- or zip code, country, gender, ethnicity, weight, height, body type and whether the user smokes or drinks,” The Guardian writes.
BGR Article

The hackers of this website call themselves The Impact Team. This manifesto—including locations of the data—can be viewed here. Impact Team Manifesto

According to Toronto Police, employees of Canadian based Avid Life Media—the owners of Ashley Madison and some similar websites—first became aware of the hack on July 12.

In the news conference, the police detailed how users were targeted in an attack that began July 12, when employees of Avid Life Media arrived at work. When the employees opened their laptops, they were met with the song “Thunderstruck” by AC/DC, and an accompanying message demanding that Avid Life shutter both websites.
New York Times

The hackers then provided samples of the hacked data to prove their claims of hacking the website were genuine. Avid Life refused to take down two of their websites so on August 20th, the hacked data was posted.

Impact Team released a 9.7GB data dump that contains over 30 million Ashley Madison user records. This includes names, addresses and emails, but it is thought that credit card details have not been compromised. Not all the email addresses are real, but up to 24 million are said to be active.

The data was posted to a Tor website meaning that it is not accessible to the general public, as well as to peer-to-peer networks such as BitTorrent. However, details are starting to leak onto the open web via screenshots on social media.

Analysis of the cache has also uncovered a number of government and military email domains. For example one researcher said that over 6,000 of the email addresses were registered as

“The website has found 1,716 email addresses from universities and further education colleges using the suffix; 124 using; 92 using; 65 local education authorities and schools using; 56 National Heath Service emails and less than 50 police emails,” reported The Telegraph.

Meanwhile, security blogger Robert Graham searched the database to determine the gender balance.

“I count 28 million men to five million women, according to the ‘gender’ field in the database (with two million undetermined). However, glancing through the credit card transactions, I find only male names,” he said.

The Ashley Madison hack is bigger in scale than the recent breach at the US Office of Personnel Management that resulted in the loss of 21 million federal records.

A few days later, the hackers posted a second data dump of 20 gigabytes. These were all internal records of Avid Life Media. This data breech was code of the websites, Google drives of managers, emails, and other internal documents. The Sony data breech was larger in terms of size of the data files but in terms of names this is the biggest in the world.

As a result of the data breech, two people listed on the website have reportedly committed suicide. This from the police news conference mentioned earlier. Their spokesman is Mr. Bryce Evans.

Mr. Evans also said that the police have received two unconfirmed reports of suicides related to the data breach. Security experts had warned the revelations contained in the breach could lead to suicide and violence.

“Others might find the thought that their membership of the site — even if they never met anyone in real life, and never had an affair — too much to bear,” Graham Cluley wrote on his security blog last week, “and there could be genuine casualties as a result. And yes, I mean suicide.”
New York Times

Hack Touches Virtually All of the United States

Gawker’s Gabrielle Bluestone has uncovered that there are precisely three ZIP codes across the country that have no record of Ashley Madison users. That’s ZIP codes, not area codes. And what do they have in common? They’re partially lacking two things: the internet and a large number of people.
Yahoo Finance

Doriana Silva
Thus far we have learned that there are roughly six men for each woman listed on the website. However, the number of women is a matter of some dispute. Many of the female profiles on the website are reportedly fake. Some of the male profiles are also fraudulent.
In 2012, Doriana Silva filed a lawsuit that was later thrown out. Her claim of fraudulent profiles is receiving renewed media interest in the wake of this hack. Below are portions of a news article from New Zealand.

Doriana Silva

A former employee of the Ashley Madison adultery website has claimed she was told to create hundreds of fake profiles of female “members” to entice men to join up.

Doriana Silva, who worked at the company’s headquarters in Toronto, Canada, tried to sue the firm after claiming she suffered repetitive strain injury (RSI) after being given a month to input 1,000 bogus memberships.

Ms Silva, who is Brazilian, was recruited by Ashley Madison’s parent company Avid Life Media to help launch a Portuguese language website in her home country.

According to court documents in Toronto: “Her allegation is that her job entailed concocting phony profiles of alluring females and inputting these profiles into the appellants’ online dating service in order to attract male subscribers.”

She claimed she was given three weeks to create 1,000 fake profiles.

Her claim stated: “The purpose of these profiles is to entice paying heterosexual male members to join and spend money on the website.

“They do not belong to any genuine members of Ashley Madison – or any real human beings at all.”

She said she was led to believe “that doing so was some sort of a normal business practice in the industry” but found her workplace “oppressive and unethical”.

Ms Silva launched the case in 2012, claiming £10 million in damages. Avid Life counter-sued her, denying her claims, and the two sides eventually agreed to drop their cases earlier this year.

New Zealand Herald

Other Fraudulent Names

Ashley Madison claims to have 1.2 million users in the UK, which would equate to almost one in 20 of all adults between the ages of 18 and 50. Increasing numbers of supposed members whose details have been published online by hackers say they had never even heard of Ashley Madison.

Online security experts have suggested the company could have bought bulk email addresses from marketing companies to make it appear that their membership – and their choice of possible partners – was far larger than the reality.

A source close to the FBI investigation into the leak has told The Daily Telegraph that examinations of the database suggest many of the female profiles on the site were created by a relatively small number of individuals.

Ashley Madison says on its website that it cannot “guarantee the authenticity of any profile”. It relies wholly on men for its profits; women can join for free, but men pay a minimum of £39 to be able to contact other members, though there is no guarantee that they will get a response from people they message.

Peter Sommer, a visiting professor at the De Montfort University Cyber Security Centre, said: “A number of internet dating agencies are known to artificially boost the number of profiles they have in order to make them more attractive.

“They take publicly available information from other databases and added it to their own. People then pay to be able to contact other ‘members’ and it’s not until they get to that stage that they realise a lot of them are duds.”

Bulk email addresses can be bought from marketing companies for as little as 10p each.
New Zealand Herald

Identity Theft

Another possible explanation is that people using the site have simply stolen other people’s email addresses so they do not have to give their own name. People can even browse the site using entirely fake email addresses, because no verification emails are sent out by Ashley Madison to check the email is genuine.

Among those who believe they may have been the victims of identity theft is Oliver Coppard, who stood as Labour’s parliamentary candidate in Sheffield Hallam against Nick Clegg earlier this year.

He said an email address for him that appears in the leaked data is one he has not used for three years.

“It’s a bit of a mystery to me,” he said. “I have never been on the site and I’m not even married so I would have no need to use it. It doesn’t really matter to me, but I don’t know how it has happened.”

New Zealand Herald

If you want to see if you know anybody involved in the hack, you can check at these two links. Use at your own risk.

Please be aware that this hack is creating a secondary market in scammers and malware sites.

Remember that email addresses are not verified by Ashley Madison so tread lightly before accusing folks of being actual clients. There is a chance they are innocent.

For a business that is predicated on secrecy and then is hacked with the outpouring of personal details then it no longer becomes a viable business.
New Zealand Herald