Lol.
That's all I have to say.
Actually, scratch that. You are turning this into the ultimate conspiracy theory. Somewhere, there is a centralized group of people that need a bunch of random joe blows to get divorced and lose their reputation, so they hacked into a site, planted their data, then let someone else discover it...
That is the most ridiculous thing I have ever heard.
Plain and simple: if it has your name, email, username, ip address, and satellite coordinates to your house captured at the time of registration (and not based on IP address, btw), and they all match you, it was you. Unless someone broke into your house, signed you up for the site with all of your normal personal info, then hid the Ashley Madison emails from your inbox, it's you.
This is the most bizarre conversation ever. The fakes are easy to spot.
Please learn to read. I clearly stated it's unlikely with THIS crack because of multiple admissions of guilt.
But it WILL be commonly used, soon enough.
This is how "hackers" (really crackers) and social engineers think. Visit DefCon sometime and look up at the display on the wall called the "Wall of Sheep". Take a walk over to the lock picking pavilion and ponder whether anyone there really thinks cheap locks are a deterrent or spends any time thinking about the consequences of popping one open "for fun."
Have you ever done any real computer forensics where chain of custody of what's on a hard disk must be maintained, to prove the investigator didn't alter the data? I have. You're not allowed to just fire up the computer and start poking around the hard drive.
If you haven't seen how damn easy it is to completely "own" an insecure server or even an entire server system and the network it's running on, it's hard to explain. Even the most sophisticated crack is just a puzzle game to the folks that do them. Manipulating society is just another type of puzzle to them. If those folks need cash, for whatever reason, it's eventually "game over" for the thing being attacked. And even one single insider and it's definitely game over at most businesses. Most janitors will happily accept $1000 to stick a USB stick in a computer and push the power button twice, some evening.
In the case of AM, there was no confirmation step. Anyone could "sign up" anyone. Didn't even need a backdoor into the database.
In future cracks of "controversial" websites, ask yourself if it would benefit anyone to have used SQL injection or a backdoor/open security hole to insert records into the table before the "copy" was "leaked", is all I'm saying.
Computer and network security, in the end, is impossible, given enough time. It rarely takes more than time and patience. There's a new remote root exploit found every week, if not every day, in most OSs now. In core code, not applications. The applications are usually written so badly/quickly/poorly they'll crumble without much effort, but you have to try more things than the published exploits.
One of our public machines had over 30,000 attempts at just boring old password guessing done against it on Friday alone (the script to block the IP of such things was hung and not working and the monitoring saw a hung version and thought it was fine). That attack was just part of the daily noise against all of our public machines and was automated. It wasn't even a real effort by a human.
(From yet another new APNIC range that wasn't already just dropped at the network border. That was also fixed. And those are cute since passwords aren't used but it's fun to watch the script kiddies so we might as well act like we accept them, right? Well up until someone decides that's a good way to do a Denial of Service attack, but those are about whoever has the most bandwidth wins, anyway, by design of IP networking, so whether they beat on the login prompt or just hit the website itself, it doesn't really matter.)
If you think people don't do this stuff "just for fun", you absolutely don't get it at all. Add in a real motivation, and it gets sticky very quickly deciding if "leaked data" is real or just whatever the cracker decided to put there.
What happens when humans on a "mission" with a huge beef against someone or some place who already have no qualms about breaking the law to break into a system to "prove" something, find nothing to leak? They'll plant it. Especially the "true believers". Totally normal for that mentality.
The instructor for my first applied network attacking class was ex-NSA. He not only told us that social engineering with a phone call was the easiest way to completely own a company, he demonstrated it. He not only had the randomly chosen target company's passwords for their web server, but logged into it from the classroom to prove it. He was a "good guy". He contacted the IT department of the company the class had chosen and let them know he'd done it. That was long ago and some companies are better now, but not a majority by a long shot.
Another one. A large financial institution that all of you would recognize but I can't share... A friend works there in their security group. He got official permission to send an email that looked like it was from their IT department to all staff members from a Yahoo account asking recipients to reply with their username and password to "fix" something.
1/3 of the companies executives, including the CEO, and about 1/6 of the staff responded. Once the CEO was shown the results, and that he fell for it, he approved the purchase of key fobs for two-factor authentication immediately and mandated the use across all platforms, a multi-million dollar project that took six months.
Just simple examples. Most IT people would say "duh" to, but plenty of IT departments out there run by non-technical folk who don't "get it" at all or even technical folk who find security too "inconvenient" or "expensive" to implement even the basics like dual-factor authentication.
I've worked for a place once that fired me for patching a remote root exploit. In the end, I was happy to leave. The people that did the firing were summarily fired by the CTO when he found out why I was gone. Guess I made an impression. He called to apologize. I appreciated his effort but I was long-gone and wasn't interested in returning to a place that messed up. They're gone now also, so I can say that most of HP's employees pay checks in the traditional print products "pipeline" were generated from that place's data mining system, amongst other things that they did.
(No we weren't HP. In a huge irony we could never figure out, they paid us to calculate their staff's commissions for one of their divisions because apparently they couldn't build their own system to do it? We enjoyed the cash. We weren't so hot on being forced to put in a bank of HP hardware and maintain a bunch of HP-UX systems when the entire rest of the server farm was IBM hardware running Linux... The HP contract was lucrative enough that we put up with that silliness and non-standardization.)
