It’s fair to say that since hackers published the private details of the over 37 million registered users of the adult infidelity website Ashley Madison, journalists have been having a field day sorting through the data dump.
How many .gov or .mil email addresses were used to register accounts? (Answer: over 15,000, with many of those holding sensitive or classified positions in the U.S. government, according to The Hill newspaper.)
What college or university had the highest number of registered users? (Answer: Michigan State University with 696 unique accounts.)
Where in America were registered users least likely to live? (Answer: the villages of Nikolai and Perryville, both in Alaska, and Polvadera, New Mexico, the only places with zero users.)
Such data phishing no doubt will continue for some time, much to the entertainment of some. But the leak of private information detailing millions of people’s intimate behaviors and desires is causing a great deal of distress as well.
The Toronto Police Department is investigating two reported suicides that stemmed from the data breach – one in Chicago and the other in San Antonio – as well as other possible incidents of extortion.
Ashely Madison’s parent company, Avid Life Media, is based in Toronto, making such incidents subject to the Toronto PD’s investigative authority.
Cybersecurity author and blogger Brian Krebs, at his website Krebs On Security, has independently documented several instances of extortion emails sent to Ashley Madison users demanding payments in the difficult but not impossible to trace Bitcoin.
And it goes without saying that whoever holds the millions of detailed personnel files of government employees stolen from servers at the U.S. Office of Personnel Management over the last year is combing through the two data sets to find individuals that overlap, creating possible targets for blackmail.
But it doesn’t stop there.
Many of Ashley Madison’s clients were married clients, so millions of spouses and family members may also be negatively affected – assuming they learn of any infidelities. And even for the many more not touched directly by this hack, it raises serious questions about just how – or even if – personal information on the Web can remain private.
In Ashley Madison’s defense, the company employed a variety of relatively sophisticated techniques and protections to safeguard the private, highly intimate details of their client’s profiles.
For example, unlike many online services, the Ashley Madison website, which remains operational, uses something called a “bcrypt algorithm” that encrypts users’ passwords and protects the site from brute-force search attacks.
But in the end, notes regarded cybersecurity author and developer Troy Hunt, this and other protections weren’t enough to keep those secrets locked away.
"Clearly there was a massive shortcoming somewhere in Ashley Madison’s security," Hunt told VOA by email. "There were actually aspects of it they did very well – their password storage, for example – but you can’t have this volume of data go walking out the door without having a serious flaw (or multiple serious flaws) elsewhere in their systems."
Hunt has been at the forefront not only reporting on the attack, but discussing efforts to make the data as public as possible.
In addition to being a web security developer, Hunt also runs “Have I been pwned?,” a website that allows users to check if any of their email or other accounts have been breached in a hack attack.
Stress could be 'significant'
Hunt has declined to include the Ashley Madison data on his site, writing: "There’s no escaping the human impact of it. The discovery of one’s spouse in the data could have serious consequences. The stress inflicted on individuals that they may now be 'found out' could be significant."
Other websites, however, have chosen a different path, electing to make the data searchable across a variety of parameters. Such sites include WasHeOnAshleyMadison.com, Trustify.com and AshleyMadisonDataLeak.com, among others.
[Editor's note: VOA is not linking to these sites because of unresolved verification and security issues.]
Avid Life Media has had some success in using the Digital Millennium Copyright Act to get courts to pull these and other sites offline under copyright claims.
But Hunt said using the courts to permanently erase the hacked data from the Internet is “no more than sticking the proverbial finger in the dyke.”
“If [it was] released with the intent of it being distributed en masse, it will be and all the DMCA takedowns in the world won’t change that," he said.
Everyone at risk
Beyond the considerable security risks and emotional toll the Ashley Madison data breach may bring, there are reasons for people who have absolutely no connection to the site to worry.
First, some of the Ashley Madison accounts were undoubtedly fraudulent, registered under other people’s names or email addresses. The result is that individuals who never visited the site might come under suspicion.
Additionally, many former Ashley Madison clients have written to Hunt to say they signed up out of curiosity or other reasons and never used the service, although their information remains.
Secondly, it’s very likely the Ashley Madison information has already been vacuumed up by large data aggregation firms, which cross-reference personal information of all sorts to create complex and highly personal profiles of millions of people online that they sell to companies such as Google and Facebook.
“For example, take what size pants you wear combined with what sort of cable TV plan you have,” Harvard researcher Adam Tanner told VOA last year.
“Together, they might suggest you’re overweight, you watch a lot of sports, and you spend a lot of sedentary time at home. So now, maybe a health insurer might deem you a higher risk. We should really be cautious about how seemingly unconnected information may be used to discriminate against you or create some really negative impact.”
The upshot is that if you have a friend, or a friend of a friend, who was an Ashley Madison client, and the two of you are linked in any way on social media, that this bit of information will now be permanently part of your digital profile.
Lastly, cybersecurity author Hunt said the Ashley Madison hack is just the latest in a series of massive data breaches of private information, leading some to wonder whether the Internet at present is just too unsecure to keep anything private.
“For people who aren’t AM customers, there’s very little immediate term impact beyond monopolizing their news headlines," he said. "The bigger picture, though, is what it signals for online security and that’s something we all should be learning from; you just cannot trust websites to keep personal details private.”
There may be a short ray of hope for Ashley Madison clients and the millions of others who have had private information breached and stolen in a cyberattack.
Just this week, the U.S. Court of Appeals for the Third Circuit ruled that the Federal Trade Commission can take legal action against Internet firms that “…unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”