Ashley Madison hack: All you need to know about the adultery website’s data leak

Since July 2015, a previously unknown hacking group has been revealing the user data of Ashley Madison, a dating website specially designed keeping in mind the needs of those looking for extramarital affairs. The group, The Impact Team, threatened to reveal personal information about the site’s user base, if Ashley Madison was not immediately shut down. After Avid Life Media refused to give the hackers what they wanted, the group leaked more than 25 gigabytes of company data between August 18 and August 20.
The leaked data consists of private information including but not limited to real names, addresses, search history and credit card transaction records.

July 15: Impact Team reveals the hack
The Impact team declared the hack and made their demands stating “Trevor, ALM’s [(Ashley Madison’s parent company Avid Life Media)] CTO once said “Protection of personal information” was his biggest “critical success factors” and “I would hate to see our systems hacked or the leak of personal information.” Well Trevor, welcome to your worst nightmare.
We are the Impact Team. We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.
Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.
So far, ALM has not complied.
First, we expose that ALM management is bullshit and has made millions of dollars from complete 100% fraud. Example, Ashley Madison advertises “Full Delete” to “remove all traces of your usage for only $19.00.” It specifically promises “Removal of site usage history and personally identifiable information from the site.” Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie. Users almost always pay [by] credit card; their purchase details are not removed as promised, and include real name[s] and address[es], which is of course the most important information the users want removed. Other very embarrassing personal information also remains, including sexual fantasies and more. We have all such records and are releasing them as Ashley Madison remains online.
Avid Life Media will be liable for fraud and extreme personal and professional harm from millions of their users unless Ashley Madison and Established Men are permanently placed offline immediately.
Our one apology is to Mark Steele, Director of Security. You did everything you could, but nothing you could have done could have stopped this. This is your last warning, We are not opportunistic [script kiddies] with DDoS or SQLi scanners or defacements. We are dedicated, focused, skilled, and we’re never going away. If you profit off the pain of others, whatever it takes, we will completely own you. For our first release, and to prove we have done all we claim, we are listing one Ashley Madison credit card transaction for each day for the past 7 years, complete with customer name and address (oneperday.txt) and associated profile information (oneperday_am_am_member.txt and oneperday_aminno_member.txt, selected rows from our complete dump of the AM databases). We are also releasing a hash dump and zone file for both domains, select documents from your file servers, executives’ google drives, and emails, and the Ashley Madison source code repository. Also, since Ashley Madison stopped using plaintext passwords, we’re also releasing the swappernet user table, which still has plaintext passwords:
[ Links and the information of two men including their names and addresses have been removed to protect their identity] Too bad for those men, they’re cheating dirtbags and deserve no such discretion. Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our [database] dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.
Well, Noel? Trevor? Rizwan? What’s it going to be?”

July 20: Ashley Madison responds
Ashley Madison responded by stating “We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident. We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies. We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.
At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible. Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.”

August 18: Impact team releases the first batch of information
Impact team leaked the information on the Deep Web on the 18th of Auguest. The leak is accompanied by a message that reads “Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.
Find someone you know in here? Keep in mind the site is a scam with thousands of fake female profiles. See Ashley Madison fake profile lawsuit; 90-95% of actual users are male. Chances are your man signed up on the world’s biggest affair site, but never had one. He just tried to. If that distinction matters.
Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.Any data not signed with key 6E50 3F39 BA6A EAAD D81D ECFF 2437 3CD5 74AB AA38 is fake”
The leak appears to be hosted on the Quantum Magazine website, a note on the same page as the leaks stated “We are not Impact Team, in case that wasn’t clear.Please use this data responsibly. If you find our hosting of the release data useful, please consider looking at our text based magazine called Quantum. Thank you. Also if you would like to know more about how to protect your privacy online, the magazine would be worth a look.We can be contacted at the addresses listed below. Quantum7765 (Quantum7765@sigaint.org / Quantum7765@sigaintevyh2rzvw.onion)”
The magazine appears to be about privacy and cybersecurity. It reads “Welcome to Quantum Magazine. This magazine has been issued as a text file only for added security and compatibility. No JavaScript or malicious code in a text file.This magazine hopes to address issues of Cyber-security, Technology, Cryptography, Anonymity, Privacy and Free Speech.Permission is given to distribute this freely as long as its not modified.”

Aug ust 18: Hydraze analyzes the first dump
According to the analysis published on Hydraze.com, the first dump contained a significant amount of information. “ The leaked files seem totally legitimate. 33 million accounts and [corresponding] personal information has been leaked. 36 million email addresses have leaked. Accounts’ passwords were stored in a secure way and while they won’t be cracked as a whole, someone targeting you might crack your password. Change it. The leak contains the names, street addresses, email addresses, phone number and credit card transactions of nearly 33 million accounts and Per Thorsheim has found valid credit card information. The dump was made on 11/07/15. If you registered your account after this date, you are mostly safe. If you registered before, your personal information are at risk and I advise you to take measures to protect yourself from identity or credit card theft “ the analysis stated.

August 18: Ashley Madison responds to the first batch of info
Ashley Madison responded to the first data dump by stating “Last month we were made aware of an attack to our systems. We immediately launched a full investigation utilizing independent forensic experts and other security professionals to assist with determining the origin, nature, and scope of this attack. Our investigation is still ongoing and we are simultaneously cooperating fully with law enforcement investigations, including by the Royal Canadian Mounted Police, the Ontario Provincial Police, the Toronto Police Services and the U.S. Federal Bureau of Investigation.
We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data. We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort. Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.
This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities. The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law.
Every week sees new hacks disclosed by companies large and small, and though this may now be a new societal reality, it should not lessen our outrage. These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives. Regardless, if it is your private pictures or your personal thoughts that have slipped into public distribution, no one has the right to pilfer and reveal that information to audiences in search of the lurid, the titillating, and the embarrassing. We know that there are people out there who know one or more of these individuals, and we invite them to come forward. While we are confident that the authorities will identify and prosecute each of them to the fullest extent of the law, we also know there are individuals out there who can help to make this happen faster. Anyone with information that can lead to the identification, arrest and conviction of these criminals, can contact information@avidlifemedia.com.”

August 20: Second dump and Hydraze analysis
According to the analysis published on Hydraze.com, the second dump mainly contained source code and the CEO’s corrupted email. “The leak contains lots of source code, nearly 3 million lines of code according to sloccount. 73 different git repositories are present. Ashley Madison used gitlab internally. The 13GB compressed file which could contain AM CEO’s emails seems corrupted. The leak contains plain text or poorly hashed md5 [database] credentials. It has been released with a message referring to AM CEO, Noel Biderman, who stated that the previous leak might be a fake “ the analysis stated.

Aug ust 21 - 22: Third dump to correct the second
The analysis of the second dump revealed that the 13GB compressed file which was supposed to contain AM CEO’s emails was corrupted. The hackers released another dump that contains 200,000 emails from the CEO’s account. According to TrustedSec “The hackers behind the Ashley Madison dump – “Impact Team” have released a new dump apparently fixing the zip file issue from the CEO’s emails from the 2nd dump release. It appears to be emails from the CEO as well as possibly other emails from the organization. The torrent seems to have stalled at 93.22% for most [downloaders because of no uploaders being present]. There’s enough of the file to repair and extract a large percentage. The extracted size is about 30GB. Ranging from July 7 2015 back to Jan 10, 2012, looks like [there are] about 200,000 total emails, from 6800 unique senders, to 3600 unique recipients.”
It is speculated that the third dump is stuck at 93% because of an article by arstechnica.com that revealed the hackers may have left footprints that might help investigators trace the hack.