The download was initially posted to a site on the dark web only accessible by using the anonymous browsing tool Tor, according to Wired. One file appeared to contain credit card transaction data, but did not appear to include billing addresses or full payment card numbers, according to Ars Technica.
Another site, Established Men, was also swept up in the data dump, according to various media reports. Established Men is aimed at women hoping to connect with wealthy men.
Both sites are owned by Avid Life Media. A spokesperson for Avid Life said it was investigating whether the sites were the source of the data.
"Last month we were made aware of an attack to our systems," the company said in a statement. "We have now learned that the individual or individuals responsible for this attack claim to have released more of the stolen data."
Avid said it is working with Canadian law enforcement and the FBI to investigate the incident. "This event is not an act of hacktivism, it is an act of criminality," Avid Life Media said in its statement. "The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society."
In July, a group of hackers calling themselves the Impact Team appeared to post some data from the company's sites online. The hackers claimed that Ashley Madison didn't delete users information even after they paid for a special fee to do so. The company rebuffed that claim and made the service, which previously cost around $20, free after news of the breach.
In a statement at the time of the breach, the hackers demanded Avid Life "take Ashley Madison and Established Men offline permanently in all forms" or they would release all customer records.
"Avid Life Media has failed to take down Ashley Madison and Established Men,” Impact Team wrote in a statement accompanying the latest data dump, according to Wired. The group also claimed that the data would show that the vast majority of users on the site were male. “Now everyone gets to see their data…. Keep in mind the site is a scam with thousands of fake female profiles," the statement said.
But suspicious spouses eager to dig through the alleged trove take note: Ashley Madison's sign-up process does not require e-mail verification to create an account, according to Wired, so it's possible legitimate e-mails were used to set up fake accounts.
Adult FriendFinder, another Web site aimed at arranging personal encounters online, also suffered a breach earlier this year. The data exposures are another reminder that intimate data shared online may not always stay as private as users might hope.