When it comes to unmasking people who used the adultery website, it’s hard to trust the information that was posted online by hackers.
So, someone you know was named as a user of Ashley Madison, the dating website for married people. Is it really true? Maybe.
The website suffered a massive breach in July, when hackers broke in to its systems and stole 37 million user profiles, as well as internal information about the company. The hackers then tried to blackmail the site’s parent company, claiming they’d release customer names on the Web if the company didn’t shut down Ashley Madison and another site it runs, called Established Men.
Well, now they’ve released the names, and anyone with an Internet connection and some determination can find them.
But there’s a hitch: Any of the names included in the data dump could potentially have been inserted by a hacker. Even the group who posted the information acknowledges that those named might not have signed up for the site.
The company has verified it’s been hacked, and security researcher Brian Krebs has confirmed that some of the user information is accurate. But Stu Sjouwerman, chief executive of security company KnowBe4, said there are probably a few million fake accounts in there.
This isn’t just theory: The same question arose in July, when internal documents from Hacking Team, an Italian company that sells spying software to governments, were posted online.
The hackers who posted the Ashley Madison data claim many of the user profiles were falsified, though not by them.
“Keep in mind the site is a scam with thousands of fake female profiles,” they wrote on the webpage leading to the data dump, according to a report from Wired. “Chances are your man signed up on the world’s biggest affair site, but never had one.”
Indeed, Wired noted that a user created an account with an email address appearing to belong to former UK prime minister Tony Blair. But the website didn’t verify user email addresses. “Anybody can register with any email address,” Sjouwerman said.
The hackers’ note also encourages people who find themselves listed to sue Ashley Madison for failing to deliver on its promise of secrecy. If anyone named in the information does sue, it’s possible the company will have to address the accuracy of the information posted.
Sjouwerman said users would have a lot to complain about in a lawsuit. Even though some accounts will inevitably be fake, plenty will be real.
What’s more, the leaked information is very personal, and as such, it’s currency for hackers. People who registered on the website could now receive highly personal emails they’re tempted to click on but that actually contain malicious software.
“This is a bad one,” Sjouwerman said.