Millions of accounts stolen from the adultery facilitation service Ashley Madison hit the dark web this week, causing angst for spouses, anxiety for the site’s users and social reflection from a variety of media sources. The information includes names, passwords, email addresses, credit card information for paid accounts, physical descriptions and profile information about users’ kinks and sexual fantasies.
Tools to search the massive database have already appeared, though it’s not clear how accurate those tools are and whether they are harvesting information themselves. Let’s look at some of the security implications of the leak.
Public Security Concerns
Many of the site’s users signed up with their work emails, probably in an attempt to keep their spouse or significant other from reading their messages. Approximately 15,000 of the leaked accounts are linked to email addresses with .edu, .mil or .gov accounts. This means the names and personal information of thousands of government employees are now online, making them a target for blackmail and identity theft.
Almost 2/3rds of the emails are from military addresses. The United States military has regulations against cheating on spouses, and the leak could lead to dishonorable discharges should the military decide to follow up. Several state and local government agencies have stated they will be looking into accounts that used email addresses linked to their employees.
Is the Data Legitimate?
Ashley Madison did not require email verification, and it’s not exactly difficult to sign up for a free account with someone else’s information. Confirming the information is difficult, since neither Ashley Madison nor their cheating users are likely to comment. On the other hand, people who were wrongfully signed up by others have no way to prove their innocence either.
Some of the leaked accounts contain data specific enough to trace back to individuals such as credit card information and is undoubtedly legitimate, but others are obviously faked. For example, someone signed up for an account using the name and email address of one of the fictional FBI detectives from the TV show The X-Files.
What Can We Learn?
Consider anything you enter online permanent. Some of the users in the leaked database paid a fee to Ashley Madison for a service that was supposed to delete their account and information entirely. Obviously it didn’t work.
Don’t advertise your computer system or service as totally private and unhackable. One of the reasons Ashley Madison was targeted was their advertisements touting the safety of users’ information. In any connected system there are ways for determined hackers to get in.
Don’t use your work email address for personal communication. Even if you’re not cheating on your spouse, it’s not a good idea. Most employers back up their email messages and accounts for security purposes.