This is an update to our initial coverage of the Ashley Madison hack. View the original story here.
Update: 9:00 a.m. ET: A group of researchers, dubbed Cynosure Prime, have successfully deciphered over 11.2 million Ashley Madison passwords in only ten days.
Although the passwords were hashed, a security feature that uses an algorithm to mask sensitive data, Ashley Madison used a less effective form of hashing which made the passwords easy to decipher.
This security blunder allowed Cynosure Prime to decode the passwords about a million times faster than if an appropriate hashing method was used.
Cynosure Prime is not releasing the cracked passwords; however, now that they’re methods have been publicized, copy-cats are likely to crack them on their own.
Ashley Madison users are urged to reset their password or delete their account.
Update 10:00 a.m. ET: Numerous search engines have been created to comb through the Ashley Madison leaked database for particular email addresses or other personally identifiable information. These sites pose major privacy and security concerns for all parties involved.
Some sites, such as Trustify, reportedly recorded all email addresses entered into their search feature. And anyone whose email is searched using Trustify will receive a message stating someone has searched for his or her information in the Ashley Madison database.
The message reportedly continues with a sales pitch for consulting services.
Consumers must also be on alert for cybersecurity threats. Many search sites contain malware that could be detrimental to your devices and the personal information they store.
Other sites will use the entered email addresses to deploy mass phishing scams. Do not reply to, click on or forward any emails regarding the Ashley Madison hack.
It has been widely reported that on July 19, hackers infiltrated AshleyMadison.com — stealing highly sensitive user data from this affair-oriented dating site. Hackers demanded the adultery-laden site be shut down or they would publish the intimate details of 37 million Ashley Madison users.
Now that the Ashley Madison hack is no longer in question and has moved to a state of exposure, it has opened up a vital conversation about ethics and future implications of data security.
Ashley Madison and its affiliates continued to operate as normal, ignoring the cybercriminals’ demands. Exactly 30 days after the high-profile hostage situation, hackers began dumping Ashley Madison data on the Internet.
The 9.7 gigabytes of leaked data (for scale, 500 eBooks requires only 1 gigabyte of space) includes Ashley Madison users’ names, street addresses, email addresses, phone numbers, encrypted passwords, transaction amounts and the last four digits of payment cards or a transaction ID.
The leaked records date as far back as 2007.
These records may look minimal, but they can have massive consequences. Such information can be used to perpetrate identity crimes against these individuals, such as identity theft and fraud, especially when paired with information from other data breaches. Ashley Madison users should also be on high alert for phishing scams or black mail attempts following the attack.
These records have already created quite a buzz of scandalous conversation. For instance, DC has been named the most cheating city in the U.S. using Ashley Madison data. Think that’s bad? Ars Technica reports more than 15,000 exposed email addresses are hosted by US government and military servers using the .gov and .mil top-level domains.
All of this dumped data can be found on the Dark Web, a portion of the Internet not indexed by search engines. It is only accessible using specific software or configurations. The Dark Web is ripe with illegal and ethically questionable activities. EZShield, like many other companies, offers services that monitor the Dark Web for signs of personal data being bought and sold to facilitate identity crimes.
While this data has only been uploaded to the Dark Web, there is a way for non-Dark Web users to see if their information was exposed. HaveIBeenPwned.com, a website dedicated to indexing breached data, now includes Ashley Madison information in their email address search feature. However, HaveIBeenPwned’s founder, Troy Hunt, took a strong stance on this incriminated data and implemented a verification process in order to pair email addresses with the Ashley Madison hack.
It is vital to note that Ashley Madison does not verify email addresses when signing up, so there is the potential for users to set up accounts under fake email addresses. Apparently, someone even set up an account using former British Prime Minister Tony Blair’s work email.
Hunt backs his move by citing concerns for the human impact of this leak: while Ashley Madison did facilitate extramarital relations, an incredibly unethical act, there will be real life consequences if this data is shared by the masses — including divorce and broken families.
A hack with such dire consequences has never truly been seen before. And it will undoubtedly make many question how much our online activities are truly private. These online activities don’t have to be as incriminating as partaking in Ashley Madison’s services. Consider something as simple as creating a health profile online. Would you feel comfortable if someone posted your physical or even mental health information for the world to see?
It’s a pertinent question we must think about moving forward and one I’m sure Ashley Madison users wish they had thought of before enrolling.
For more information on cybersecurity, visit FightingIdentityCrimes.com.
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.