A huge database of user information stolen from extramarital affairs website Ashley Madison has been posted online.
The compressed 10GB file was posted to the dark web late on Tuesday and has since been shared widely across the dark web.
The data dump contains the usernames, first names, last names, street addresses and more of some 33 million users. Partial credit card details are also included in the file, along with records documenting 9.6 million transactions and 36 million email addresses going back seven years. Among the email addresses were more than 15,000 accounts created with US .mil or .gov email addresses.
As well as user data the file also contains internal documents from Ashley Madison including employee credentials, charts, contracts and sales documents. It had been thought the hackers would only leak user data, but the inclusion of sensitive company details makes the leak far more serious than first thought.
Passwords included in the leak are hashed using the secure bcrypt algorithm. The difficulty and cost of decrypting the entire database passwords means they will likely remain encrypted, but any users of Ashley Madison should change their password and any duplicates.
Physical descriptions created by users are also in the data dump. Eye colour, weight, height, hair colour, body type and ethnicity all included, along with relationship status, what a user is looking for, if they drink alcohol, smoke, their security question and date of birth. According to the 'gender' field in the database, 80 percent of Ashley Madison's users are male (28 million), with 14 percent (5 million) female and five percent (2 million) not specified.
In a statement on Tuesday Ashley Madison parent company Avid Life Media (ALM) cautioned the data may be fake, but subsequent analysis by a number of security experts has confirmed it was legitimate. "This dump appears to be legit. Very, very legit," wrote TrustedSec researcher Dave Kennedy. "This is a full scale compromise of the entire companies infrastructure." The hackers also released a public key to allow people to check that all the files leaked were created by the author and were not modified.
Security expert Graham Cluley warned people against jumping to conclusions if they find the email addresses of a partner in the data dump. "If your email address is in the Ashley Madison database it means nothing. The owner of that email address may never have even visited the Ashley Madison site," Cluley explained. That's because Ashley Madison didn't verify email addresses given to it, allowing anyone to enter any email address.
Impact Team, the hacker group behind the attack and subsequent leak, said it was following through with its promise after ALM failed to shut down Ashley Madison and Established Men. "We have explained the fraud, deceit and stupidity of ALM and their members. Now everyone gets to see their data".
This article was originally published by WIRED UK
