7 Things You Need to Know About the Ashley Madison Hack — and More!

(Photo: AshleyMadison.com)

Note: This story has been updated to reflect more recent developments in the ongoing saga of Ashley Madness.

You just found out that the premier website for enabling infidelity had its members’ guts spilled all over the Internet, and now you’re sweating bullets.

You naughty little minx.

Relax. We’re not here to judge; we’re here to help.

On Tuesday, the hacker group Impact Team made good on the threats it made last month by dumping the data from some 37 million Ashley Madison subscribers on the Web. This could potentially be the most damaging hack ever devised, depending on whether or not (a) you are among the millions whose data was leaked and (b) your significant other gets wind of it.

By most accounts, the data seems to be legitimate. That’s the bad news. The good news is, well, that the bad news may not be that bad. At least, not for most of us.

Here are seven essential facts you should know about the Ashley Madison hack.

You can find out if your identity was leaked

Not surprisingly, several sites have popped up offering to search the leaked data to let you know if your email (or your snuggle bunny’s) was among the 37 million. Ashley Madison appears to be doing its best to shut these sites down. The site Ashley Madison Data Leak, for example, had already received a takedown notice a few hours after it appeared.

Trustify will tell you if your email is in the Ashley Madison data dump — and then try to sell you services to protect yourself. (Too late.)

At press time, the site Ashley.cynic.al was still able to give you the thumbs-up or thumbs-down on any email address you enter, as will Trustify (though the latter will then try to get you to sign up for its data protection services). The site Have I Been Pwned also lets you check on an address, but when we plugged in an address we knew was part of the database, it came up negative. Your pwnage may vary.

Update: The Have I Been Pwned site did return a positive result for the Ashley Madison member email after we verified ownership of the email address in question. Still, giving a false result initially is, at the very least, an extremely odd design choice.

Just because your email comes up doesn’t mean you signed up for Ashley Madison

Because the service did not verify member’s emails, there’s no way to know if any of these addresses are legit. So even if yours shows up, it’s conceivable (if somewhat unlikely) that someone else added your email. Whether your spouse will buy that story is another matter.

And if you did, you’d be in good company

Or bad, depending on your point of view. A number of websites have taken to outing famous personages — such as former reality TV star Josh Duggar and former British Prime Minister Tony Blair — whose online identities appear to have been leaked. Again, though, there’s no way to verify these accounts are genuine.

Update: Duggar later admitted to committing infidelity and indulging in other naughty Internet activities without explicitly mentioning Ashley Madison.

Was former British Prime Minister Tony Blair looking for love in at least one wrong place? (Photo: Yahoo News UK)

Just because someone signed up for Ashley Madison doesn’t mean they had an affair

Though the site’s famous motto is “Life is short, have an affair,” there is no requirement for members to actually be married, nor does the website verify one’s marital status. Given the allegedly high number of fake female profiles and the overwhelmingly large percentage of male users — some 80 percent of the leaked profiles were of men, according to published reports — basic math suggests that the vast majority of Ashley Madison users have yet to make good on that motto.

Infidelity may be the least of your problems

If your spouse checks the data dump and finds your name there, you may be in for a series of long and painful discussions or even a visit to divorce court. Even then, though, the real danger from the AM breach is good old-fashioned identity theft. The data dump included real names, passwords, addresses, dates of birth, credit card numbers, and GPS coordinates for millions of users, as well as whether they like to cuddle or practice good personal hygiene.

The odds of someone outing you as a cheater are still relatively small. The odds of some petty cyberthief selling your information or using it in nefarious ways are much higher.

Update: A second data dump, twice the size of the first, was released later in the week. It appears to contain mostly source code for Avid Life Media Web sites and the personal correspondence of CEO Noel Biderman.

Ashley Madison could be legally liable

The site’s response to this breach has been to admit the hack but then to downplay its seriousness, claiming that most of the data that has been released was fake or stolen from other sites (which is apparently untrue). But the company’s failure to notify users of the breach could land it in legal hot water.

Ashley Madison’s parent company, Avid Life Media, is based in Toronto. Canada’s recently amended data privacy law requires companies to notify individuals when they suffer a data breach that creates “a real risk of significant harm.” Failure to do so can result in criminal charges and fines of up to $100,000 Canadian. In the U.S., 47 states have laws on the books requiring private companies to notify users of data breaches, though the terms and penalties vary.

Even after it was hacked, Ashley Madison continued to send emails to its members — but none of them mentioned the data breach.

As far as we can determine, no notice has been given to Ashley Madison subscribers. A test account, maintained by this author for research purposes — yes, really — continues to receive email alerts from Ashley Madison with no mention whatsoever of a data breach. The company posted a handful of statements about the hack on its media page and via its Twitter account but makes no mention of the breach anywhere on the dating site itself.

Update: So far, at least one class action suit has been filed against Ashley Madison in Canada. It’s reasonable to assume more are on the way.

Some people are unbelievably stupid

The number of legitimate-looking work emails released in the hack is kind of mind-blowing. Hackers have posted long lists of addresses organized by domain; they include some 15,000 U.S. government employees as well as members of the military, various large corporations, and even the Vatican.

The moral of this story: If you must sign up for a website that helps you commit adultery (or worse), use a fake name and a disposable email address. Otherwise, you almost deserve what’s coming to you.

Send email to Dan Tynan here or follow him on Twitter.

More stories about security:

• What’s Safer From Hackers: A PC or a Mac?

• Which One Is More Secure: Android or iOS?

• How to Keep Windows 10 From ‘Spying’ on You

• The Biggest Computer Hack Attacks of the Last 5 Years

• How to Watch Worldwide Cyberattacks — Live!