Ashley Madison hackers make good threat to publish user details

Key points

The hackers who last month claimed to have penetrated the (seemingly lackadaisical) security of infidelity dating website Ashley Madison have made good on their threat and dumped 9.7 gigabytes of user data on an untraceable "dark web" site. And the accounts include someone claiming to be "Tony Blair".

Ten gigabyte dump on .onion address includes users' names, addresses and credit card details

And the accounts include someone claiming to be "Tony Blair".

The data dump includes user names and passwords, as well as the names, addresses, phone numbers and payment card details that the users keyed-in to the website.

In a statement, the hackers - whose motives appear to be moral - said that they had published the details because Ashley Madison's owner, Avid Life Media, had failed to comply with their demand to discontinue the site.

"Avid Life Media has failed to take down Ashley Madison and Established Men. We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data."

They continued: "Keep in mind the site is a scam with thousands of fake female profiles. See ashley Madison fake profile lawsuit; 90-95 per cent of actual users are male. Chances are your man signed up on the world's biggest affair site, but never had one. He just tried to. If that distinction matters.

"Find yourself in here? It was ALM [Ashley Madison] that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you'll get over it."

While the hackers claim to have published data from Ashley Madison and Established Men, a website run by Avid Life Media for young women to hook-up with rich older men, they appear to have ignored "Cougar Life", another Avid Life Media-owned company for older women to snag younger men.

Early analyses of the data dump indicate that passwords, at least, were hashed using the reasonably secure bcrypt algorithm for PHP, which is an improvement on MD5 hashes or, all too common in recent attacks, plain text, but bcrypt can be cracked by a determined attacker.

Last month, Ashley Madison CEO Noel Biderman admitted the hack, but claimed that it was an inside job and implied that the attackers were known and would, hence, be quickly apprehended: "I've got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services," Biderman told security specialist Brian Krebs.

He also implied that the company was working with law enforcement agencies to take down The Impact Team, the group that, it was widely claimed at the time, to be behind the attack. Tuesday's missive from the hackers signed off: "We are not Impact Team, in case that wasn't clear."

At the time of the attack in July, the hackers also claimed that the $19 that the company charges for users to fully delete their account - expunging all record of their ever having been a member of the site - was total nonsense: the hackers claim that their details will also be in the 9.7GB data dump.

Indeed, despite their moralising about the rationale of the website - facilitating relationship cheating - they claim to have been ultimately motivated by the "complete lie" of Ashley Madison's $19 Full Delete feature.

"Full Delete netted ALM $1.7 million in revenue in 2014. It's also a complete lie," they wrote. "Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is, of course, the most important information the users want removed."