It’s not an attack on government systems, but that doesn’t mean there aren’t some feds scrambling over the AshleyMadison.com hack.
More than 15,000 government and military email domains are among the 36 million email addresses released Tuesday night as part of the massive data breach associated with the online infidelity site.
A hacking group calling itself “The Impact Team” dumped 10 gigabytes of data stolen from Avid Life Media, the proprietor of AshleyMadison.com. On top of email addresses, the data also includes first and last names, hashed passwords, addresses, credit card data, and transaction records.
The data has since made its way to torrents and pastebin dumps, with a list of federal, state and local government, and military domains hosted on the latter.
Addresses ending in “.mil,” the domain used by the military and Defense Department, were among the top government domains used, with “us.army.mil” topping the list with 6,788 addresses.
Not every address is necessarily tied to an actual government employee. An examination of the list shows some dummy addresses — clearly addresses like deathstar.gov, iran.gov and hot.mil don’t exist — yet addresses from NASA and the National Oceanic and Atmospheric Administration to the U.S. Patent and Trademark Office and the Pension Benefit Guaranty Corp. are represented on the list.
Also worth noting is the site allowed for users to sign up with real email addresses, but Avid Life did not have a protocol for verifying their authenticity.
A number of cybersecurity experts who have examined the data say it’s legit, confirming various parts of the data through outreach.
“I asked my twitter followers for those who had created accounts. I have verified multiple users of the site, one of which was a throw-away account used only on the site. Assuming my followers aren’t lying, this means the dump is confirmed,” Robert Graham, co-founder and chief technology officer of Errata Security, wrote on his blog.
The Impact Team told Avid Life last month that it would release its customer data if the company did not take down Ashley Madison and another site called Established Men. Prior to the hack, Ashley Madison charged users $19 to completely erase their profiles, but it’s clear now that information had been stored by the company.
Internet security expert Troy Hunt has attached the leaked data to his website haveibeenpwned.com, which allows people to figure out if their email or username has been posted in relation to a publicly disseminated hack. Hunt has also taken measures to make sure people can’t be searched for anonymously, the details of which are laid out on his blog.
The Impact Team also released a manifesto with the data, claiming everyone should see Avid Life’s data after explaining “the fraud, deceit, and stupidity of ALM and their members.”
“Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages,” The Impact Team wrote. “Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.”
Graham said the morality play is a red herring.
“In all probability, their motivation is that #1 it’s fun and #2 because they can,” Graham wrote. “They probably used phishing, SQL injection, or re-used account credentials in order to break in.”
UPDATE 9/19, 12:50 p.m.: This story was updated to reflect that Ashley Madison did not ask for email verification upon signing up for the site.