Update 7:20 p.m.: CheckAshleyMadison.com was taken offline Wednesday evening after receiving a take-down request from Ashley Madison’s legal team under the Digital Millennial Copyright Act. It would appear that Ashley Madison’s lawyers are using the copyright provision to take down as much of the leaked information as they can; as of this writing, however, Have I Been Pwned and Trustify are still online, as are several new sites, including Ashley.cynic.al.
In a statement, the creators of CheckAshleyMadison.com wrote:
We hope that Avid Life Media will follow-up in the coming days with some sort of help to their userbase and a formal apology, rather than try to sweep it under the rug … P.S. To Ashley Madison’s Development Team: You should be embarrased [sic] for your train wreck of a database (and obviously security), not sanitizing your phone numbers to your database is completely amateur, it’s as if the entire site was made by Comp Sci 1XX students.
Update Aug. 24: A string of complaints have surfaced on Reddit about the private-investigation app Trustify, which — according to users — sends automated marketing messages to anyone it positively IDs in the hacked Ashley Madison data. Proceed cautiously on that one!
Our original story follows.
When a team of hackers calling themselves “the Impact Group” claimed to break into spouse cheating site Ashley Madison last month, millions of users held their breaths: See, even though Ashley Madison confirmed there was a hack, no one had posted any actual user data yet.
That changed Tuesday evening, when the Impact Group published a 10-gigabyte trove of user data — including names, phone numbers, e-mail addresses and credit card fragments — to the Dark Web.
While Ashley Madison has not confirmed that the information is authentic, several security researchers have already said that it appears to be: Multiple users have independently confirmed that their names appeared in the leak.
But if you’re worried about appearing on the list, yourself, you don’t need to download Tor or scour Pirate Bay for the right Torrent. At least three sites are republishing Ashley Madison’s user data on the public-facing Internet.
CheckAshleyMadison.com, which went up overnight, will tell you if an e-mail address or phone number appears in the leaked files. (“Ashley Madison users who were in committed relationships were taking comfort in the fact that their significant others were not able to Torrent things,” the site’s creator told The Washington Post. “Our site upsets that in making it easier for people to find out if their spouse was a part of the site.”)
Trustify, a sort of Uber for private eyes, said in a statement that it was also updating its hacked-e-mail search tool to add the Ashley Madison files.
And Have I Been Pwned, a site that tracks major data breaches around the Web, just finished loading more than 30.6 million e-mail addresses into its database; unlike the other sites, however, Have I Been Pwned will only share data from the Ashley Madison leak with users who have verified their e-mail address with the service and subscribed for notifications.
In other words, Have I Been Pwned (HIBP) will not allow suspicious spouses, nosy co-workers or other passerby to see if someone else was an Ashley Madison user. It will only allow the actual user to check if his or her name was included in the leak.
It’s a novel response to a situation whose ethics remain enormously murky: If private data is hacked — particularly sensitive, compromising data — who is ultimately responsible for the consequences of that leak? Is it the site that failed to secure the data, the hackers who obtained it, the third parties who republished it, often for profit — or some combination of the three?
“There’s no escaping the human impact of it,” HIBP’s creator, Troy Hunt, wrote in a lengthy blog post explaining why the Ashley Madison data wouldn’t be searchable on his site. “The discovery of one’s spouse in the data could have serious consequences … I’m not prepared for HIBP to be the avenue through which a wife discovers her husband is cheating, or something even worse.”
In the meantime, the data dump has already yielded some intriguing insights into who actually used Ashley Madison: One analysis by the self-identified hacker @T0x0, posted Tuesday night to Pastebin, found more than 6,700 Army e-mail addresses in the leak, as well as 1,600 from the Navy, 104 from Virginia state government and 45 from the Department of Homeland Security.
While those numbers haven’t yet been confirmed — and while some of the e-mail addresses could certainly be faked — that’s in keeping with earlier findings from Ashley Madison, which has said that nearly 60,000 of its users are registered in the District of Columbia.
Liked that? Try these!