Soon after this week’s apparent leak of user data from Ashley Madison, users of the cheating-focused dating site searched frantically for ways to retroactively scrub their accounts from the massive data release.
One listing on the hacker-for-hire marketplace site Hackers List offered to pay up to $2,000 to anyone who could remove account information from the leaked files, which reportedly contain records for up to 36 million users of the site. “For what it is worth, I did not cheat, going through a tough time right now, but this is a wakeup call,” says the listing. “Need a skilled hacker to remove my information from wherever it appears as soon as possible. Please help.”
An anonymous New York Craigslist advertiser claims to be able to remove individual data from the release for a fee, and even Ashley Madison site operator Avid Life Media vowed Tuesday to do its best to undo the effects of the leak, in a statement strongly condemning the hack.
“We are actively monitoring and investigating this situation to determine the validity of any information posted online and will continue to devote significant resources to this effort,” the company said. “Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.”
But, say security researchers who’ve analyzed the data and tracked its progress online, it would be impossible at this point for anyone to effectively suppress any of the information found in the leak. “Unfortunately that’s simply not possible – once information has been sufficiently socialised and redistributed (which the Ashley Madison data has certainly been), the exposure is irretrievable,” wrote security researcher Troy Hunt in a Q&A post about the leak. “At this point it is better to focus on damage control – consider the impact of your Ashley Madison membership being known by everyone and what actions you might take in order to minimise the impact (i.e. discussing with a spouse).”
The 10-gigabyte data dump was initially published Tuesday on a website accessible through Tor, the anonymous browsing tool, and quickly redistributed through the BitTorrent file-sharing network. The leak followed a statement last month by a hacking group called The Impact Team, which threatened to release the data if Avid Life failed to shut down both Ashley Madison and a second dating site called Established Men. The hackers condemned the site’s operators for offering a $19 “full delete” feature, which they say failed to always expunge members’ data from the database.
Security researchers say the released information includes names, email addresses, physical descriptions, and even sexual and romantic preferences provided to the site, along with some records of credit card transactions for paying subscribers. Full credit card numbers apparently weren’t leaked or, says Avid Life, even stored by the company.
The release was quickly found to contain verified account information, with journalists from Gawker and The Guardian announcing they’d found accounts they’d previously created for reporting purposes in the data dump. Security writer Brian Krebs reported that Ashley Madison accounts posted on BugMeNot, a site that allows users to publicly share website credentials, also appeared in the dump, and he and other security experts confirmed other users found their information in the dataset. “I’ve verified both the credit card info and the account info with people I trust,” says researcher Robert Graham of Errata Security.
Journalists and anonymous users of forums like 8chan quickly dove into the data released on Wednesday, loading the files into database software and finding the names, occupations, and official email addresses of government officials, business executives, and celebrities. And for Internet users looking to search for themselves or their significant others in the data, a number of websites quickly launched offering email address services. Hunt’s Have I Been Pwned? site, which identifies email addresses released in a number of high-profile breaches, promised to only let users search for their own, verified addresses “due to the sensitivity of the data,” but other sites allowed users to search for any address.
Dustin Puryear, who created one site offering to let users search the database for a $5 fee, says the search service ultimately isn’t too dissimilar from search engines like Google. “This is information that’s already available,” he says. “It’s just very difficult to get to, and very difficult to understand.”
Puryear says he hasn’t decided yet whether he’d let users request that listings be removed under extenuating circumstances, though he emphasized he wouldn’t charge users a fee to remove their information.
The data release was cryptographically signed by the hackers, which will make it hard for anyone to release any fake data from the site in the future, whether that’s pranksters looking to maliciously add names to the list or cheating spouses looking to circulate substitute files without their own information, says Graham.
“They can claim things, like their credit card was hacked, or someone [else] used their email address,” he says. “For example, Tony Blair, the former Prime Minister of Great Britain, he’s on the list, but it’s unlikely to be the real Tony Blair. You can try to deny things that way.”
While experts have warned the release could cause serious and even life-threatening consequences for Ashley Madison users for years to come, there seems to be little that can be done to stop the data from continuing to circulate. Avid Life has condemned the hackers for leaking its customers’ data, though a note apparently circulated with the release argues the blame lies squarely with the company for not better securing the sensitive information.
“Prosecute them and claim damages,” the hackers apparently wrote to users of the site. “Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”