Adultery website Ashley Madison was hacked on 19 July by a group calling itself Impact Team. Exactly one month later the cache of 37 million customer records has been posted online for the world to see.
Impact Team, under the cover of the Tor network, posted a file nearly 10GB in size, containing names, home addresses, email addresses and transaction records, to peer-to-peer file sharing websites that is now being pored over by journalists and security researchers.
It's real, very real
What do we know so far? Impact Team published a notice on an anonymous website on Tor stating ‘Time's Up', indicating its intention to publish the customer database in full. A number of reports initially questioned the validity of the data dump, but security researcher Brian Krebs quickly verified the cache.
"I've now spoken with three vouched sources who all have reported finding their information and last four digits of their credit card numbers in the leaked database. Also, it occurs to me that it's been almost exactly 30 days since the original hack," he said.
"Finally, all of the accounts created at BugMeNot.com for Ashleymadison.com prior to the original breach appear to be in the leaked data set as well. I'm sure there are millions of Ashley Madison users who wish it weren't so, but there is every indication that this dump is the real deal."
Luke Brown, vice president and general manager at Digital Guardian, said that "if [Ashley Madison parent company] Avid Life Media was trying to call Impact Team's bluff it seems to have backfired pretty spectacularly".
He added: "While the data has only been released on the dark web for now, it will inevitably find its way into more mainstream channels over time, resulting in very public naming and shaming for Ashley Madison's members.
"Perhaps even more embarrassing for Avid Life Media and Ashley Madison is the disclosure of the fact that a significant proportion of users on the site are fake, bringing into question the credibility of the website as a whole."
The leak is big, very big
Impact Team released a 9.7GB data dump that contains over 30 million Ashley Madison user records. This includes names, addresses and emails, but it is thought that credit card details have not been compromised. Not all the email addresses are real, but up to 24 million are said to be active.
The data was posted to a Tor website meaning that it is not accessible to the general public, as well as to peer-to-peer networks such as BitTorrent. However, details are starting to leak onto the open web via screenshots on social media.
Analysis of the cache has also uncovered a number of government and military email domains. For example one researcher said that over 6,000 of the email addresses were registered as us.army.mil.
"The website has found 1,716 email addresses from universities and further education colleges using the .ac.uk suffix; 124 using .gov.uk; 92 using .mod.uk; 65 local education authorities and schools using .sch.uk; 56 National Heath Service emails and less than 50 police emails," reported The Telegraph.
Meanwhile, security blogger Robert Graham searched the database to determine the gender balance.
"I count 28 million men to five million women, according to the 'gender' field in the database (with two million undetermined). However, glancing through the credit card transactions, I find only male names," he said.
The Ashley Madison hack is bigger in scale than the recent breach at the US Office of Personnel Management that resulted in the loss of 21 million federal records.
Ashley Madison and Avid Life Media are not happy
A strongly worded statement released by Avid Life Media said that the company is working with police to investigate the hack.
"This event is not an act of hacktivism, it is an act of criminality. It is an illegal action against the individual members of AshleyMadison.com, as well as any free thinking people who choose to engage in fully lawful online activities," the firm said.
"The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror and executioner, seeing fit to impose a personal notion of virtue on all of society.
"We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world. We are continuing to fully cooperate with law enforcement to seek to hold the guilty parties accountable to the strictest measures of the law."
However, the company is also under investigation in the UK by the Information Commissioner's Office and could face a fine of up to £500,000 if it failed to delete user data as agreed with customers.
There will be business, personal and financial implications for Ashley Madison and its users, and researchers are already searching through the file for names and addresses of politicians and celebrities.
Married SNP MP Michelle Thomson is listed in the database, but claims that her email address was harvested and that she is the victim of a smear campaign.
"Along with potentially millions of others, an out-of-use email address seems to have been harvested by hackers. I am not aware of, or in contact with, Avid Life Media or Ashley Madison and look forward to finding out more about what has actually happened," she said.
Security researcher Graham Cluley pointed out: "I could have created an account at Ashley Madison with the address of [email protected], but it wouldn't have meant that Obama was a user of the site."
Tod Beardsley, security engineering manager at Rapid7, warned that the implications of the breach will be far-reaching.
"As with many breaches, this data set can severely impact the real lives of real people, but this set goes beyond the normal health and privacy concerns: some people are literally put in physical danger if their details are connected with Ashley Madison," he said.
"Among the at-risk population are physically and emotionally abused spouses, people coping with sexual orientation, gender identity, and addiction and compulsion issues, and the children of people who are named, falsely or accurately, in the data sets."
What happens next?
The leak demonstrates once again that businesses of all sizes need to prioritise security. High-profile hacks such as those on Ashley Madison, United Airlines and the Office of Personnel Management demonstrate the dangers involved in having weak security measures in place.
These cases also highlight the dedication and malice of cyber criminals, who will benefit from stolen data and not think twice about making it public.
Breached in March by the same attackers, claim 'insiders'
And all for less than £150, according to Keith
Chambers joined Cisco in 1991 after leaving ailing Wang Labs
Morphisec discovered malware compromise first, claims Avast, not Cisco