Dumped ⇥ arstechnica.com

The word above describes both what happened today with all the data — 10 GB of compressed text — that was stolen last month from Ashley Madison, and what will likely be happening to the millions of users of the site today.

I don’t mean to be glib about it: this is serious. Ashley Madison is a website that encourages an often-deplorable activity,¹ but that doesn’t make this intrusion any less criminal. Unlike with credit card data breaches, which are largely inconvenient but manageable, the fallout is going to affect millions of lives immediately.

Dan Goodin, Ars Technica:

Researchers are still poring over the unusually large dump, but already they say it includes user names, first and last names, and hashed passwords for 33 million accounts, partial credit card data, street names, and phone numbers for huge numbers of users, records documenting 9.6 million transactions, and 36 million e-mail addresses. While much of the data is sure to correspond to anonymous burner accounts, it’s a likely bet many of them belong to real people who visited the site for clandestine encounters. For what it’s worth, more than 15,000 of the e-mail addresses are hosted by US government and military servers using the .gov and .mil top-level domains.

The leak also includes PayPal accounts used by Ashley Madison executives, Windows domain credentials for employees, and a large number of proprietary internal documents. Also found: huge numbers of internal documents, memos, org charts, contracts, sales techniques, and more.

Brian Krebs is convinced this is legitimate.

One of those sales techniques Goodin alludes to is a full user profile wipe, available for $20. As noted by Joseph Bernstein at Buzzfeed, the company estimated that they generated $1.7 million in revenue from this in 2014.

Robert Graham notes that Ashley Madison took security reasonably seriously:

They tokenized credit card transactions and didn’t store full credit card numbers. They hashed passwords correctly with bcrypt. They stored email addresses and passwords in separate tables, to make grabbing them (slightly) harder. Thus, this hasn’t become a massive breach of passwords and credit-card numbers that other large breaches have lead to. They deserve praise for this.

There’s plenty to read on this if you’re interested; I wanted to highlight the articles I found most intriguing. Like other breaches, there are some tools online where you can check if your (or others’) information was compromised. But don’t ask questions that you don’t want answered, at least not in this way. 36 million accounts represents a lot of potential cheaters. Reading through the revelations of a few people who did find out about their significant others’ infidelity in this manner is heartbreaking. Cheating is never okay, but I know that I wouldn’t want to find out about the infidelity of anyone I know like this.