The hacker or hackers who published internal data stolen from adultery website Ashley Madison last month have released a much larger cache of data from the site, including details on users and executives and internal corporate documents, security researchers said.
“The database dump appears to be legitimate and contains usernames, passwords, credit card data, street addresses, full names, and much much more,” said TrustedSec researcher Dave Kennedy in a blog post. “So far, it looks like around 33 million usernames, first names, last names, street addresses, and more are impacted by this breach.”
Kennedy and other researchers confirmed that the cache amounts to about 10 gigabytes (GB) of compressed data.
“For folks that may not know, that is massive,” Kennedy wrote.
The release comes 30 days after the original publication of data, as originally promised by the unknown hackers, who refer to themselves as Impact Team. The attackers said last month they would release the data unless Ashley Madison and a similar site called Established Men were shut down by parent company Avid Life Media (ALM).
“We have explained the fraud, deceit, and stupidity of ALM and their members,” Impact Team wrote in a statement accompanying the data, according to security researchers. “Now everyone gets to see their data.”
Data contained in the cache indicates the most recent information dates from 11 July, or 10 days before the initial release.
The hackers were acting out of a misguided sense of morality, seeking to “impose a personal notion of virtue on all of society”, ALM said in a statement.
“These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives,” the Toronto-based company stated.
ALM said the US’ FBI, the Royal Canadian Mounted Police and local police are investigating the breach. It did not confirm that the published data was genuine, but said it was aware of the claim.
The company has said it believes the hackers were formerly connected to the company.
TrustedSec said the hackers appeared to have maintained access to ALM’s internal data for a considerable length of time.
“This is a massive data breach where attackers had full and maintained access to a large percentage of Ashley Madison’s organisation undetected for a long period of time,” TrustedSec’s Kennedy wrote.
He said the cache includes hashes of corporate passwords, corporate PayPal accounts and passwords, and internal documents such as maps of server infrastructure and organisational charts.
“This is much more problematic as it’s not just a database dump, this is a full-scale compromise of the entire company’s infrastructure including Windows domain and more,” he wrote.
More than 15,000 of the email addresses are hosted on US governmenet or military servers using the .gov and .mil top-level domains, other researchers said.
The documents detail 9.6 million transactions and include 36 million email addresses, according to researchers. Websites have surfaced allowing users to search the database for their own email address, according to reports.
Microsoft security expert Troy Hunt said more than 1 million of the email addresses were linked to payment records.
Errata Security and security journalist Brian Krebs both said unnamed individual users had confirmed the last four digits of their credit cards were found in the cache.
The data also includes personal information on users, including their sexual preferences, according to researchers.
Are you a security pro? Try our quiz!
US Commerce Secretary Gina Raimondo says Huawei's flagship smartphone chip 'years behind' US technology, shows…
Cloud companies, business user groups say Broadcom price changes do not address their concerns, as…
Dating app Grindr sued over claims it shared sensitive user data, including HIV status, with…
Meta Platforms opens operating system behind Quest virtual reality headsets to third parties amidst competition…
European Commission may ban rewards feature in recently launched TikTok Lite that it calls 'toxic…
US House of Representatives passes new bill combining TikTok measures with foreign aid, may face…
View Comments
Forget any adultery/ partner type issues, think of the potential security threats due to blackmail of people in positions of power or security. This ought to be viewed as a potential national security crime.
If you don't think it is - Think of the compromises to national security when being gay was a criminal offence and/or socially unacceptable and the opportunities that present to the espionage community!
Looks as though the culprits are known - so shouldn't be long before they are behind bars!