Ashley Madison data breach

In July 2015, an unknown person or group calling itself "The Impact Team" announced they had stolen the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The hacker(s) copied personal information about the site's user base and threatened to release users' names and personal identifying information if Ashley Madison would not immediately shut down. As evidence of the seriousness of the threat, the personal information of more than 2,500 users was initially released. The company initially denied that its records were insecure, but it continued to operate.

Because of the site's lack of adequate security and practice of not deleting users' personal information from its database – including real names, home addresses, search history and credit card transaction records – many users feared being publicly shamed.

On 18 and 20 August, more than 60 gigabytes of company data was publicly released, including user details. The released data even included personal information about users who had paid the site to delete their personal information since the company had not deleted the data they claimed to have erased.

Timeline
The Impact Team announced the attack on 19 July 2015 and threatened to expose the identities of Ashley Madison's users if its parent company, Avid Life Media, did not shut down Ashley Madison and its sister site, "Established Men".

On 20 July 2015, the Ashley Madison website put up three statements under its "Media" section addressing the breach. The website's normally busy Twitter account fell silent apart from posting the press statements. One statement read:

"At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber-terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online."

The site also offered to waive its account deletion charge.

More than 2,500 customer records were released by "The Impact Team" on 21 July, but the company initially denied the claim that its main database was insecure and had been hacked. However, more than 60 gigabytes of additional data was released on 18 August and was confirmed to be valid. The information was released on BitTorrent in the form of a 10 gigabyte compressed archive; the link to it was posted on a dark web site only accessible via the anonymity network Tor. The data was cryptographically signed with a PGP key. In its message, the group blamed Avid Life Media, accusing the company of deceptive practices: "We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data ... Too bad for ALM, you promised secrecy but didn't deliver."

In response, Avid Life Media released a statement that the company was working with authorities to investigate, and said the hackers were not "hacktivists" but criminals. A second, more extensive, data dump occurred on 20 August 2015, the largest file of which comprised 12.7 gigabytes of corporate emails, including those of Noel Biderman, the CEO of Avid Life Media.

In July 2017, Avid Life Media (renamed Ruby Corporation) agreed to settle two dozen lawsuits stemming from the breach for $11.2 million.

Impact and ethics
None of the accounts on the website need email verification to create a profile, meaning that people often create profiles with fake email addresses. Ashley Madison's company required the owner of the email account to pay money to delete the profile, preventing people who had accounts set up without their consent (as a prank or mistyped email) from deleting them without paying. Hackers allege that Avid Life Media received $1.7 million a year from people paying to shut down user profiles created on the site. The company falsely asserted that paying them would "fully delete" the profiles, which the hack proved was untrue.

Josh Duggar, a 27-year-old man who had become famous as a teenage member of a conservative Christian family featured on a reality television series named 19 Kids and Counting, was one notable user of Ashley Madison whose data was breached. The released data included records of nearly $1,000 of transactions on a credit card account in his name. The news of the data release compounded his problems with revelations earlier that year about police reports of his sexual misconduct; on 20 August, he admitted he had been unfaithful to his wife. The data breach had quickly followed the release of a past police report alleging that he had fondled five underaged girls, including a few of his own sisters. On 25 August, he checked himself into a rehabilitation center.

Following the hack, communities of internet vigilantes began combing through to find famous individuals whom they planned to publicly humiliate. France24 reported that 1,200 Saudi Arabian '.sa' email addresses were in the leaked database, which were further extortionable since adultery is punishable via death in Saudi Arabia. Several thousand U.S. .mil and .gov email addresses were registered on the site. In the days following the breach, extortionists began targeting people whose details were included in the leak, attempting to scam over US$200 worth of Bitcoins from them. One company started offering a "search engine" where people could type email addresses of colleagues or their spouse into the website, and if the email address was on the database leak, then the company would send them letters threatening that their details were to be exposed unless they paid money to the company.

A variety of security researchers and internet privacy activists debated the media ethics of journalists reporting on the specifics of the data, such as the names of users revealed to be members. A number of commentators compared the hack to the loss of privacy during the 2014 celebrity photo hack.

Clinical psychologists argued that dealing with an affair in a particularly public way increases the hurt for spouses and children. Carolyn Gregoire argued that "Social media has created an aggressive culture of public shaming in which individuals take it upon themselves to inflict psychological damage" and that more often than not, "the punishment goes beyond the scope of the crime." Graham Cluley argued that the psychological consequences for people shamed could be immense and that it would be possible for some to be bullied into suicide. Charles J. Orlando, who had joined the site to conduct research on women who cheat, wrote of his concern for the spouses and children of outed cheaters, saying that "the mob that is the Internet is more than willing to serve as judge, jury, and executioner" and that site members did not deserve "a flogging in the virtual town square with millions of onlookers".

On 24 August 2015, Toronto police announced that two unconfirmed suicides had been linked to the data breach, in addition to "reports of hate crimes connected to the hack". Unconfirmed reports say a man in the U.S. died by suicide. At least one suicide, which was previously linked to Ashley Madison, has since been reported as being due to "stress entirely related to issues at work that had no connection to the data leak". The same day, a pastor and professor at the New Orleans Baptist Theological Seminary killed himself citing the leak that had occurred six days before.

Users whose details were leaked filed a $567 million class-action lawsuit against Avid Dating Life and Avid Media, the owners of Ashley Madison, through Canadian law firms Charney Lawyers and Sutts, Strosberg LLP. In July 2017, the owner of Ruby Corp. announced the company would settle the lawsuit for $11.2 million. In a 2019 interview, Ashley Madison's chief strategy officer Paul Keable confirmed the installment of security features like two-factor verification, PCI compliance and fully-encrypted browsing as a consequence of the hacker attack from 2015.

In 2024, Netflix released Ashley Madison: Sex, Lies & Scandal, a three-part docuseries on the incident.

Data analysis
Annalee Newitz, editor-in-chief of Gizmodo, analyzed the leaked data. They initially found that only roughly 12,000 (0.2%) of the 5.5 million registered female accounts were used regularly. The vast majority of accounts had been used only once, the day they were registered. Newitz also found that many women's accounts were created from the same IP address, suggesting there were many fake accounts. They found that women checked email messages very infrequently: every one time a woman checked her email, 13,585 men checked theirs. Only 9,700 of the 5 million female accounts had ever replied to a message, compared to the 5.9 million men who would do the same. They concluded, "The women's accounts show so little activity that they might as well not be there." In a subsequent article the following week Newitz acknowledged that they had "misunderstood the evidence" in their previous article and that their conclusion that there were few females active on the site had been based on data recording "bot" activities in contacting members. Newitz confirmed that Ashley Madison had created more than 70,000 female bots to send millions of fake messages to male users. Still, they note that "we have absolutely no data recording human activity at all in the Ashley Madison database dump from Impact Team. All we can see is when fake humans contacted real ones." They noted that the site seemed to keep track of human-to-human contact but that the Impact Team had not released this data.

Passwords on the live site were hashed using the bcrypt algorithm. A security analyst using the Hashcat password recovery tool with a dictionary based on the RockYou passwords found that among the 4,000 passwords that were the easiest to crack, "123456" and "password" were the most commonly used passwords on the live website. An analysis of old passwords on an archived version showed that "123456" and "password" were the most commonly used. Due to a design error where passwords were also hashed separately with the insecure algorithm MD5, 11 million passwords were eventually cracked.

While acknowledging that some men had detected the ruse, staff writer Claire Brownell of the Financial Post suggested that if only a few interactions were conducted, the Turing test could be passed by the women-imitating chatbots that had fooled many men into buying special accounts.

Popular culture

 * The data breach is the subject of the 2024 Netflix series Ashley Madison: Sex, Lies & Scandal.