3 minute read

On August 19th, the Impact Team released data of millions of alleged Ashley Madison users. Ashley Madison is a type of social networking website that promotes extra-marital affairs. After the main user data, the source code for the website, and emails from the founder were also released.

The data was initially released on the Dark Web, but has since been added to many clear web sites.

Impact Teams .onion site on Tor where the data can be downloaded
Impact Team's .onion site

The data contains information about users names, email addresses, locations, addresses, credit card numbers, credit card transactions, sexual preferences, and much, much more.

If you are thinking about looking up your friends and neighbors, think about the following first:

You cant trust most versions of the data

Many people are interested in this data. Hackers and criminals know that it will be very popular, so they will add viruses and other malware to the data. It is also possible that copied versions had records added specifically to frame people. If you are going to use any version, make sure it came from Impact Team.

You cant trust websites that let you search the data

Even before the data was released, some websites were created to be able to single the data if and when it was released. Some of these websites are created by trusted security researchers, some are created by hackers, some are created by people who just want to make money off of the situation. The result is that you should only use trusted websites when evaluating data like this. Other sites may have malware, and some sites may collect any email addresses, names, phone numbers that you enter to "check" and resell that information to advertising companies. Be careful with websites you don't know.

The original data could have been fake or tampered with

Data directly from Impact Team is the 'most reliable' version that we will get. However, this does not mean that it has not been tampered with. They may have added or modified entries.

Further, some accounts that exist in the system are likely to be fake anyway. The only accounts we can be reasonably sure of are attached to credit card transactions, and even those may possibly have been created by a stolen card.

Think about what you are doing

With data like this, there are a lot of things we can learn. I have a copy of the data, and I did not look up my friends or co-workers. Why? Because I don't care. Many websites are using the data to find who is cheating on who. That question is not interesting. What is interesting is, for example, why people are cheating. We might even ask is cheating a bad thing? For 39 million people, apparently it isn't. Other interesting questions include how to prevent an attack like this in the future? What are the most common passwords? Etc.

While the data is useful for information security to learn from its mistake, making the data easily accessible for the sake of gossip is not useful, and could potentially cause mental and physical damage. Consider this 'help' that a woman received from radio talk show hosts. As soon as the woman found out her husband was cheating, the host even admitted he felt like a jerk.

I completely agree with the approach from the people at haveibeenpwned.com who explain in their blog single that it is not the job of security researchers to out people. It is our job to protect people.

Every time there is a data leak, the information is used for all sorts of scams, and criminals are already using the AM data. The people involved in this breach could have their entire lives destroyed by releasing all of their information. Some people will say that they deserve it for being on such a site. Thats a matter of opinion. But as security researchers if we don't look for ways to use (and release) data responsibility, we may be hurting people to find the 'juicy bits' rather than improving security, privacy and freedom for everyone.