​Does Ashley Madison represent a new era in hacking?

Hackers publish Ashley Madison data

Hacking is getting more personal.

There's nothing fun or easy about having your credit card information stolen or having to change every password you ever use. But credit cards can be reissued, fraudulent charges waived and new passwords created.

That's a pain, but it's not as complicated as what victims of the latest hack will have to deal with if and when their misdeeds are revealed to loved ones, coworkers, the world.

The FBI is investigating the hack on Ashley Madison, where a purported 37 million users went looking for trysts outside their relationships. The attack does not appear to be about money -- at least not in the traditional sense. There's value in information, and the hackers can certainly find a way to monetize the email addresses, personal profiles and sexual proclivities of the millions of people whose information they stole. But there's another side to that value: the personal value of that information to the people exploited, and the potentially irreparable damage it could do to their relationships if exposed.

Extortion is nothing new. But exposing of tens of millions of people in one fell swoop? That's special.

When hackers infiltrated Sony Pictures in December, they destroyed data and released reams of emails, throwing a light on Hollywood quibbles and nasty, racist commentary.

At the time, Richard Bejtlich, chief security strategist at FireEye, which owns Madiant, the company hired by Sony to investigate the breach, told CBS News that what made that attack stand out from so many others was the combination of destruction and the release of embarrassing data. "Put those two together and those are some new dimensions that most security, IT and even management teams aren't used to dealing with," he said.

Since Sony, there have been other massive security breaches, including the release of 80 million health records from insurer Anthem and the Office of Personnel Management (OPM) hack that exposed personnel data for more than 21 million past and current government employees. But even those seem "normal" compared to Ashley Madison, which seems targeted toward punishing bad behavior -- both of the site's users and of the site itself.

Security researcher Troy Hunt runs a site called "Have I been pwned?" (pwned being hacker lingo for owned, or taken advantage of). It lets people type in their email and immediately see whether it's been included in hacking-related data dumps.

Screenshot from one of several sites dedicated to telling people whether their email addresses were compromised in the Ashley Madison hack. The site was quickly taken down. ashleymadisonleakeddata.com

Though the leaked Ashley Madison information is technically publicly available (if you know where and how to look for it), Hunt decided not to make it easily searchable on HIBP.

"I don't believe it's responsible to make all the (Ashley Madison) accounts discoverable by anyone. Yes, they will be through various other routes anyway, but I'm not prepared for HIBP to be the avenue through which a wife discovers her husband is cheating or something even worse happens," Hunt wrote in a blog post at the end of July, preparing for when the hackers would eventually make good on their threat to release all user data.

A visit to his site now classifies Ashley Madison as "sensitive" and will only return search results to people via notifications to a verified email address. You can know, but no one else can find out about you.

Looking up email addresses to see if they were part of the nearly 10 gigabytes of Ashley Madison data dumped onto the Web has led to an instantaneous cottage industries of several homemade sites that do exactly -- and only -- that.

It's worth noting that although several sources have confirmed that real emails were leaked from the site, not all the email addresses were verified, many were fake or could have been added by the hackers, as CNET pointed out, and that having signed up for the site does not equal having actually engaged in an extramarital affair.

Even the hackers who perpetrated the attack recognize this, though they seem light on sympathy. In a note accompanying the data dump, the group, called Impact Team, wrote, "Chances are your man signed up on the world's biggest affair site, but never had one. He just tried to. If that distinction matters."

The hackers go on to blame Avid Life Media, the site's owner, for "failing" and lying to their users and encourage those exposed to prosecute the company, "then move on with your life."

"Learn your lesson and make amends," the note says. "Embarrassing now, but you'll get over it."

Of course, whether or not individuals exposed by the hack will be able to "get over it," will depend on what "it" means to them.

"Nearly every day since I first reported the exclusive story of the Ashley Madison hack on July 19, I've received desperate and sad emails from readers who were or are AshleyMadison users and who wanted to know if the data would ever be leaked, or if I could somehow locate their information in any documents leaked so far," security expert Brian Krebs wrote on his blog Tuesday.

They can now find out on their own, but that may provide little solace.

And the whole affair, if you will, serves as a stern reminder and distressing harbinger. We should all be smart about what we put online, we should all use strong passwords and follow best practices, we should all be careful about engaging in potentially damning and probably trackable activities. And we should all be prepared for the next big breach, because the paradigm may be shifting, and these days, it's personal.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.