Ashley Madison Leaked Data

I read a news article that said some users in Saudi Arabia were exposed. Seriously uncool for them whoever they are seeing that adultery is punishable by death there. :eek:
 
Fearless Tower said:
Is it though? This whole thing sounds fishy. Seems there are multiple sites now to 'search' the database. Are these even legit? Are we really to believe that the president@whitehouse.gov is a member?

CNN seems to be falling over themselves plugging in email addresses to check folks out.

I don't believe anybody at this point.
Click to expand...

I simply meant that making a promise to be faithful to someone and then looking to break that promise (the whole premise behind Ashley Madison) makes the person "litter".

As to the veracity of the leaked info, I have no idea. But like many, I wouldn't touch that verification site with a 10' keyboard and industrial strength firewall...

John
 
I would guess most of these types of sites are scams aiming to harvest email addresses.
 
Fwiw, having seen the full scope of the data, it is very easy to tell if someone actually signed up or if someone else used their email address to do it.

If you know the person, there are sufficient details in their profile to establish that it is really them.
 
SkyHog said:
Fwiw, having seen the full scope of the data, it is very easy to tell if someone actually signed up or if someone else used their email address to do it.

If you know the person, there are sufficient details in their profile to establish that it is really them.
Click to expand...

Maybe, but in cases of identity theft it may still be a problem for the innocent.

Beyond that, my guess is that a lot of folks won't look at the whole data set for an individual, only the email address.

Personally, I think this kind of cyber terrorism is bad for the internet as a whole, though perhaps some people will finally learn that one never posts online (even "privately") any information they wouldn't want to see in a headline tomorrow.
 
jsstevens said:
I simply meant that making a promise to be faithful to someone and then looking to break that promise (the whole premise behind Ashley Madison) makes the person "litter".

As to the veracity of the leaked info, I have no idea. But like many, I wouldn't touch that verification site with a 10' keyboard and industrial strength firewall...

John
Click to expand...

Agree on both counts.

Also noted that taking down Ashley Madison doesn't eliminate opportunities for someone so inclined to chase an "affair". Sites ranging from Craig's List to Adult Friend Finder to YouPorn still exist. CL is still under pressure from law enforcement to ensure that illegal behavior doesn't take place there (prostitution, et al - see below). At one point, there were even Yahoo groups where such behavior could take place (I have no idea how it is now, back when I worked in media I worked with some folks that investigated such stuff. I think they either eliminated it or created "adult only" sections. I don't go there, so no knowledge).

http://www.cbsnews.com/news/pa-woman-18-charged-with-killing-man-she-met-on-online/
 
wsuffa said:
Agree on both counts.

Also noted that taking down Ashley Madison doesn't eliminate opportunities for someone so inclined to chase an "affair". Sites ranging from Craig's List to Adult Friend Finder to YouPorn still exist. CL is still under pressure from law enforcement to ensure that illegal behavior doesn't take place there (prostitution, et al - see below). At one point, there were even Yahoo groups where such behavior could take place (I have no idea how it is now, back when I worked in media I worked with some folks that investigated such stuff. I think they either eliminated it or created "adult only" sections. I don't go there, so no knowledge).

http://www.cbsnews.com/news/pa-woman-18-charged-with-killing-man-she-met-on-online/
Click to expand...

whoa there! don't be knocking youporn...that's a staple in some people's diets!
 
Fearless Tower said:
Is it though? This whole thing sounds fishy. Seems there are multiple sites now to 'search' the database. Are these even legit? Are we really to believe that the president@whitehouse.gov is a member?

CNN seems to be falling over themselves plugging in email addresses to check folks out.

I don't believe anybody at this point.
Click to expand...

I checked several of my own throwaway addresses (on a Linux box and through a proxy server), and none of them came up. But president@whitehouse.gov did. That was the only one I checked that came up, in fact.

Actually, I'd be very surprised if at least half the Congress weren't in there, as well. But the individual running the site caved to a DMCA demand to take it down.

Rich
 
RJM62 said:
Actually, I'd be very surprised if at least half the Congress weren't in there, as well. But the individual running the site caved to a DMCA demand to take it down.
Click to expand...


AM claimed they held copyright to their stolen database's data? ROFL.
 
Ahh, a nice witch hunt for the digital age. The last words of one particular convicted killer were "the good people always think they're right."
 
SkyHog said:
Fwiw, having seen the full scope of the data, it is very easy to tell if someone actually signed up or if someone else used their email address to do it.

If you know the person, there are sufficient details in their profile to establish that it is really them.
Click to expand...
It depends.

Apparently there are two different data sets. One includes all email addresses used to access AM which includes bogus emails people may have entered just to take a look inside.

The second data set is what contains the actual account information from repeat visitors/folks that paid money.
 
From a cyber heist newsletter I get (and which has been spot on alerting me to scams / tactics BEFORE I hear about them on the news):

Phishing Alert: Warn Your Users Against Ashley Madison Scams Now
Your end-users saw this in the news yesterday, or will read about it today. The hackers who stole more than 36 million records from the Ashley Madison site (which makes it easy to cheat on your spouse), have now posted all the records for everyone to see. This is a bad one.

Cyber criminals are going to leverage this event in a lot of different ways: (spear-) phishing attacks, bogus websites where you can "check if your spouse is cheating on you", or ways to find out if your own extramarital affair has come out.

Any of these 36 million registered users are now a target for a multitude of social engineering attacks. People that have (had) straight or gay extramarital affairs can be made to click on links in emails that threaten to out them.

I have already seen phishing emails that claim people can go to a website to find out if their private data has been released. This is a nightmare that will be exploited by spammers, phishers and blackmailers who are now gleefully rubbing their hands, let alone the divorce lawyers and private investigators that are pouring over the data now.

What To Do About It

I suggest that you take immediate preventive action. It only takes one second for a worried end-user (or admin) to click on a link in an email and expose the network to attackers. I recommend you send something like this to your friends, family and end-users. Feel free to edit.

"Yesterday 36 million names, addresses and phone numbers of registered users at the Ashley Madison site (which makes it easy to cheat on your spouse) were posted on the Internet. All these records are now out in the open, exposing highly sensitive personal information.

Internet criminals are going to exploit this in many ways, sending spam, phishing and possibly blackmail messages, using social engineering tactics to make people click on links or open infected attachments. Be on the lookout for threatening email messages which slip through spam filters that have anything to do with Ashley Madison, or that refer to cheating spouses and delete them immediately, in the office or at the house."

Please forward this to friends, family, colleagues and peers.

As you can see, stepping your users through effective security awareness training is an absolute must these days. For KnowBe4 customers, we have a new Current Events template that lures people into clicking on a link to a website to see if their spouse has not been faithful. The subject of the template is "Your spouse was found in the Ashley Madison list". We strongly recommend you send this to your employees as soon as possible.
Click to expand...
 
I just don't understand how any web site could make it easy to cheat on your spouse. I don't care what kind of web site it is, if I were to cheat on my spouse, she would know it immediately.

Apparently it worked for a lot of people. I just don't understand how.
 
Fearless Tower said:
It depends.

Apparently there are two different data sets. One includes all email addresses used to access AM which includes bogus emails people may have entered just to take a look inside.

The second data set is what contains the actual account information from repeat visitors/folks that paid money.
Click to expand...

Apparently you haven't looked at the data.

There are 7 data sets. One has emails, one has account profiles, including sexual preferences, kinks, and their password hash. One has additional details on the user, such as city, state, zip. One has activity details. One has financial transactions (only a partial set, and no revealing info except the AM act number and the cc holder's name). Then it has the entire source for their website so you could create it yourself if you so chose.

It has much more than "emails and financials"
 
SkyHog said:
Apparently you haven't looked at the data.
Click to expand...
You are correct - I am not about to visit the sites and plug info into them.

My only point being that simply finding someone's email in one of the data sets by itself doesn't mean jack.
 
Interesting that this has attracted so much attention since people have been having affairs since marriage was invented.
 
Used to be that marriage was just a business deal to cement dynastic alliance, or to obtain dynastic resources or stature. Having as many mistresses as you could afford was normal.

We've really taken our puritanical heritage to the nth degree.
 
steingar said:
Used to be that marriage was just a business deal to cement dynastic alliance, or to obtain dynastic resources or stature. Having as many mistresses as you could afford was normal.
Click to expand...
That depends largely on the culture and in many cases economic status.

I'm surprised that you of all people (being a man of science) would make a blanket statement like that.
 
If I'm interpreting the leaker's statements correctly, their motivation was not the morality of adultery, but, rather, the fact that the site was mostly dudes and it did not deliver as promised.

Am I following?
 
jhausch said:
If I'm interpreting the leaker's statements correctly, their motivation was not the morality of adultery, but, rather, the fact that the site was mostly dudes and it did not deliver as promised.

Am I following?
Click to expand...

The hacker's stated reason is that the site offered a "for cost" way to remove your records from the site but didn't actually remove all the records from the site. THAT'S what the hackers claimed was the motivation.

John
 
jsstevens said:
The hacker's stated reason is that the site offered a "for cost" way to remove your records from the site but didn't actually remove all the records from the site. THAT'S what the hackers claimed was the motivation.

John
Click to expand...

They probably made more on the fee for purging data than they did on the matchmaking services! Every indication is it was a 10:1 ratio of men to women, so I suspect there was more disappointment than success for the male participants. Hormone-driven stupidity knows no bounds.
 
Fearless Tower said:
That depends largely on the culture and in many cases economic status.

I'm surprised that you of all people (being a man of science) would make a blanket statement like that.
Click to expand...

For most of history love was for people with insufficient resources to do ought else. I imagine their love was one of the few joys evident in their lives. But prostitution has flourished throughout history in just about every nation on Earth, often despite official disapprobation. Hence I suspect I am far more right than wrong. The fact that millions of potential miscreants have been unmasked in one of the most puritanical nations on Earth further reinforces my claim.
 
steingar said:
For most of history love was for people with insufficient resources to do ought else. I imagine their love was one of the few joys evident in their lives. But prostitution has flourished throughout history in just about every nation on Earth, often despite official disapprobation. Hence I suspect I am far more right than wrong. The fact that millions of potential miscreants have been unmasked in one of the most puritanical nations on Earth further reinforces my claim.
Click to expand...

In light of your stats, what makes the miscreants? :dunno:
 
So - since some of you are latching onto the "it could fake" bandwagon, here is an example profile, with the name/email address redacted - you can see that it is quite easy to determine validity.

S---- Se---- (redacted). Profile reads "Young and fun, and what else can you ask for?" Looking for: "Use a strap-on on me. I am looking for a real experimental person. My girlfriend is not up to par on the experimental part. Therefore I need to fill that void. By the way, I love the taste of a women and give oral for as long as she wants.

Then the list of kinks is very long, and not worth going into, but most interesting is that that person registered for their account from 43.1667,-79.25 (redacted to an extent), which happens to align to the registered address in St. Catharines, Ontario.

Digging into other data sets shows more revealing data that could be used to prove or disprove the veracity of someone's identity. I think that the location info is pretty damning or excusing in most cases.
 
jhausch said:
If I'm interpreting the leaker's statements correctly, their motivation was not the morality of adultery, but, rather, the fact that the site was mostly dudes and it did not deliver as promised.

Am I following?
Click to expand...

You're not following. The leakers objections were twofold: the morality of adultery, and the human trafficking element present in "Established Men," another site that Avid Entertainment runs.

The demand was to remove both sites, or the data would leak. They refused to comply, and the data leaked.
 
SkyHog said:
You're not following. The leakers objections were twofold: the morality of adultery, and the human trafficking element present in "Established Men," another site that Avid Entertainment runs.

The demand was to remove both sites, or the data would leak. They refused to comply, and the data leaked.
Click to expand...

In other words, a classic case of extortion.

If they has evidence of illegal behavior, there are any number of ways to engage the authorities and bring in the long arm of the law. That's one of the things that happened in the Jared case - a reporter that he trusted was appalled at some of the things he said and agreed to wear a wire for the FBI.

Instead these hackers have committed a felony (likely more than one), including extortion and illegal entry into a computer system. I have no sympathy for them, nor can I support their activity. And to be clear, I don't condone the behavior of those that used the site, though I do have sympathy for the families and organizations that will be negatively impacted by this.

(BTW, I'd be less trusting of the geo coordinates as (unless auto-generated by a GPS in a phone/tablet) as the coordinates might well have been generated internally from the physical address given by the user. Apparently IP addresses were in there, too, as that's what the AP used to determine the identity of certain government officials).
 
Last edited:
It would appear this whole thing has prompted an ad in the ATL paper:
attachment.php
 

Attachments

  • MateWanted.jpg
    MateWanted.jpg
    91.2 KB · Views: 532
LDJones said:
Every indication is it was a 10:1 ratio of men to women, so I suspect there was more disappointment than success for the male participants. Hormone-driven stupidity knows no bounds.
Click to expand...

That would have been my thought as well. Same thing as going to a nude beach, fat hairy old men generally dominate the population.

I know a couple guys (and no, I'm not talking about myself) that go on sites like match.com and get their hookups that way. It's reportedly easier than fishing in the shrimp tank.
 
jsstevens said:
The hacker's stated reason is that the site offered a "for cost" way to remove your records from the site but didn't actually remove all the records from the site. THAT'S what the hackers claimed was the motivation.

John
Click to expand...

What's funny is that paying for the records removal with a CC is exactly the thing that has exposed so many people. I've read many comments of people who said they signed up, goofed around on the site, then paid the $ to be "erased." That's the transaction that got them in the database.

Oops.
 
SkyHog said:
So - since some of you are latching onto the "it could fake" bandwagon, here is an example profile, with the name/email address redacted - you can see that it is quite easy to determine validity.



S---- Se---- (redacted). Profile reads "Young and fun, and what else can you ask for?" Looking for: "Use a strap-on on me. I am looking for a real experimental person. My girlfriend is not up to par on the experimental part. Therefore I need to fill that void. By the way, I love the taste of a women and give oral for as long as she wants.



Then the list of kinks is very long, and not worth going into, but most interesting is that that person registered for their account from 43.1667,-79.25 (redacted to an extent), which happens to align to the registered address in St. Catharines, Ontario.



Digging into other data sets shows more revealing data that could be used to prove or disprove the veracity of someone's identity. I think that the location info is pretty damning or excusing in most cases.
Click to expand...


One thing no one seems to have caught onto in the Press is that if one hacker group got in, others could have been there before them.

The "perfect crime" in the modern world would be to crack into any "vice" site, plant data into their internal systems, and then wait.

Or any other site you know is targeted by some group that's breaking the law who has the ability to claim some sort of moral high ground or some reason for the public to take notice of their "work"...

Then quietly let other "moral" crackers know there's a hole, with no easy way to trace that hint back to the source.

An insecure site is an insecure site. Whatever data you might find in it is severely suspect until corroborated by some other means.

Obviously some of the data in this one is true judging by the public admissions of guilt. Maybe all. Maybe all but one record.

Point is, even if this one isn't, folks had better learn quick that it doesn't take too
much skill to plant "evidence" in a database and cover one's tracks.

An insider could do it in a heartbeat, and money and power may want in on things like these high profile "leaks" if they find them effective at doing things like getting enemies fired or their resignation over a scandal, or throwing an election even if the data is found to be false later, etc.

The powers that he would love for everyone to believe "Cyberwarfare" only happens between nation-states. Manipulation of data to target an individual inside a country isn't on anyone's mind.

Don't care if this one is real or not. Just pointing out that I wouldn't put a lot of credibility on data stolen via an exploit and posted online until it's vetted, and even then, tossing a few extra records into this data before "going public" with it, would have been child's play.

Not knowing you were manipulated into downloading bad data -- thinking you're "saving the world" -- would be a very easy to imagine twist to these things, for anyone who knows systems security and cracker tactics.

There are criminals who think like the above, and far far worse out there. And have the skill-set to pull it off.
 
denverpilot said:
One thing no one seems to have caught onto in the Press is that if one hacker group got in, others could have been there before them.

The "perfect crime" in the modern world would be to crack into any "vice" site, plant data into their internal systems, and then wait.

Or any other site you know is targeted by some group that's breaking the law who has the ability to claim some sort of moral high ground or some reason for the public to take notice of their "work"...

Then quietly let other "moral" crackers know there's a hole, with no easy way to trace that hint back to the source.

An insecure site is an insecure site. Whatever data you might find in it is severely suspect until corroborated by some other means.

Obviously some of the data in this one is true judging by the public admissions of guilt. Maybe all. Maybe all but one record.

Point is, even if this one isn't, folks had better learn quick that it doesn't take too
much skill to plant "evidence" in a database and cover one's tracks.

An insider could do it in a heartbeat, and money and power may want in on things like these high profile "leaks" if they find them effective at doing things like getting enemies fired or their resignation over a scandal, or throwing an election even if the data is found to be false later, etc.

The powers that he would love for everyone to believe "Cyberwarfare" only happens between nation-states. Manipulation of data to target an individual inside a country isn't on anyone's mind.

Don't care if this one is real or not. Just pointing out that I wouldn't put a lot of credibility on data stolen via an exploit and posted online until it's vetted, and even then, tossing a few extra records into this data before "going public" with it, would have been child's play.

Not knowing you were manipulated into downloading bad data -- thinking you're "saving the world" -- would be a very easy to imagine twist to these things, for anyone who knows systems security and cracker tactics.

There are criminals who think like the above, and far far worse out there. And have the skill-set to pull it off.
Click to expand...

Lol.

That's all I have to say.

Actually, scratch that. You are turning this into the ultimate conspiracy theory. Somewhere, there is a centralized group of people that need a bunch of random joe blows to get divorced and lose their reputation, so they hacked into a site, planted their data, then let someone else discover it...

That is the most ridiculous thing I have ever heard.

Plain and simple: if it has your name, email, username, ip address, and satellite coordinates to your house captured at the time of registration (and not based on IP address, btw), and they all match you, it was you. Unless someone broke into your house, signed you up for the site with all of your normal personal info, then hid the Ashley Madison emails from your inbox, it's you.

This is the most bizarre conversation ever. The fakes are easy to spot.
 
You must log in or register to reply here.
Back
Top