If the search found a hit, Trustify sent the exposed user a warning that the data could "follow you across the web forever" and "ruin your life" — as well as a link to its $67-an-hour investigator service, where the site dangled "ways to hide the exposed details."
Soon, millions of suspicious spouses, children, colleagues and others were firing off an average of 500 searches a second, and the ensuing "investigations" helped Trustify pocket more money in a single day than it had made all last month.
But it also fueled a furious backlash from critics who slammed Trustify as a digital "ambulance chaser," capitalizing on the distress and vulnerability of private people whose secrets were exposed on a global stage.
"To me, this looks like profiteering off other people's misery in a way I would never have expected from such a company," said Per Thorsheim, a Norway-based security adviser and founder of tech-security conference Passwordscon. "From their perspective, this is a massive opportunity to make tons of money in a very easy way."
As data breaches have increasingly taken aim at Americans' banks, health insurers and private lives, a cottage industry of enterprising start-ups like Trustify has boomed, moving quickly to target the victims left most exposed in the aftermath.
Spammers and hackers have for years seized on stolen data for corrupt means, but they are now being joined by otherwise legitimate companies spying a chance to turn the sensitive data into lucrative new customers.
Danny Boice, who founded Trustify after a messy divorce and a "very skeezy experience" with online private eyes, wrote in an e-mail that the service was designed purely to "help those who cannot help themselves navigate an environment of increasing distrust, (dishonesty) and complex information."
"This unfortunate situation made for a perfect opportunity for Trustify to dig in and help the average consumer find the truth," Boice wrote. "And this is exactly what we did."
But Boice has also gushed over just how much the breach has helped his business. Charging hundreds of dollars for a typical "report" on their findings in the data, the start-up has seen its caseload explode to 15 times its typical size, and Boice said the breach helped the site soar to its first month of profitability.
After the breach, Boice told a morning news show, “Fortunately or unfortunately, it’s been good for business for the private-investigator world.”
Because Ashley Madison offered to help coordinate hook-ups between hopeful adulterers, and because of the sensitivity of what was stolen (including user's names, phone numbers, home addresses, credit-card transactions and sexual preferences), critics said the potentially humiliating data has given companies like Trustify an extra selling tool to persuade users to pay for protection.
Trustify is far from the only site to use the freely available, stolen data for questionable financial gain. One site's search tool is ringed by ads for GPS trackers, divorce attorneys and phone-spying apps.
But the start-up has become one of the hack's most-trafficked beneficiaries, hyped in media reports (including in The Washington Post) and boosted by its front-page Google standing and automated marketing e-mails.
Trustify's first bulk blasts of unsolicited e-mails, some of which had subjects like "Your boss might know," stunned breach victims, who were told that an anonymous user had used the search to uncover their secret. Many took to forums like Reddit to claim the site profited off victimization, spam and fear-mongering: One user said the site's leaders were more egregious than the initial hackers, because they "did it for free where as you are profiting from the misery."
Critics slammed Trustify for selling expensive investigative reports built by simply scraping together the easily downloadable Ashley Madison data. Others said Trustify exaggerated its ability to "hide the exposed details" of data that had already spread rapidly across the Web.
When asked what methods Trustify used, Boice said, "We do not help anyone cover up the truth or act on the truth. ... We are simply very, very, very good at finding answers for our customers."
The start-up has gone on the defensive, sharing a blog post explaining their rationale and addressing questions like, "Are you exploiting this situation for profit?" A Trustify employee sought to tamp down criticism by launching an "ask me anything" thread on Reddit, but the responses have all since been deleted, because Boice said Reddit users began making death threats against him, his wife and children, and Trustify employees.
With the help of the breach, the company, Boice said, expects to rapidly grow its 15-person corporate team, which redirects jobs out to 3,000 contract investigators. In job listings, the site says it is "going to be loud and noisy about" disrupting the $5 billion private-investigator industry, adding that a reason to work at the site is, "We win."
But responding to the backlash, Trustify has quietly and repeatedly changed big parts of how its biggest moneymaker has run. The firm is working to "make additional modifications to our search tool so that it's even more compliant to privacy standards and practices just to ensure that we are going above and beyond," Boice wrote.
When asked whether the firm was concerned about legal consequences to aiding the spread of stolen data, Boice wrote, "No comment."
Troy Hunt, a Sydney-based security expert known for Have I Been Pwned?, a free service that alerts subscribers when their e-mail addresses have been exposed in a new breach, said Trustify's setup had helped empower blackmailers and looky-loos while leaving victims open to further harm.
Trustify "is well-targeted advertising, I'll give them that much, but it is very, very seedy," Hunt said. But perhaps they feel like "they're going to be so overwhelmed by inquiries that it almost doesn’t matter."