The leaking of data for more than 32 million users from the online cheating websites Ashley Madison and Established Men will have left many today with a few heart palpitations and sweaty palms, with the rest already on the receiving end of some stern words.
Latest in aftermath of original hack list sites shutting down
While social media is alive with discussion about the rights and wrongs of the data dump, databases have already been put up on conventional websites not to name and shame customers, but so that concerned users can search to see if they are on the list.
Three websites: haveibeenpwned.com, ashleymadisonleakeddata.com and ashleymadisonleaked.com have all been set up for the purpose, although the latter has gone down because it has not been able to handle the overwhelmingly high number of users. In the case of all three the sites will scour the databases to see if the emails are a match.
Anyone who fears their email could have been maliciously put on the site may also do well to avail themselves of the service. Individuals who have downloaded the lists from the dark web are racing against time to upload them onto comprehensive searchable databases.
Already a number of email addresses from employees at companies such as Amazon, Boeing and Sony; governments agencies in the UK, Canada and France; defence contractors like Raytheon and BAE Systems; and banks including JP Morgan, Bank of America and Citigroup have made it on to the conventional web.
The details of customers, their names, ages, weight, height and embarrassingly their sexual preferences and pictures of users in compromising positions are believed to have been leaked. Perhaps most worryingly information like credit card details, PayPal account information and home addresses have also been made available.
Cyber security company Blue Coat, which has been doing its own research into the data leak, has said the aftermath will last a month and in the coming weeks three prongs of attack by those wishing to gain from the information can be expected:
1. Reselling personal data to other cyber attackers: Now that more than 9 gigabytes of data has been released, they may begin to look at the financial value of a target to see if they will profit from the time spent building malware for the attack. This data is most likely to be among some of the most valuable compromised so far. If it is worth $100 to 'go away' and there are 37m users, this could be one of the largest cyber heists in history.
2. Financial or non-financial blackmail of Ashley Madison and its customers: Not all of the personal data of Ashley Madison users has been released, therefore cyber attackers may go directly to the management, or to the individual users of Ashley Madison and ask for a payment for the release/deletion of personal data. Blackmail can also happen through non-financial means by coercing victims into working with the attackers as an insider.
3. Social engineering to take down bigger business targets: Attackers can identify high value targets who are members of Ashley Madison and collect widely available social media data to impersonate the victim over a long period. If successful, attackers can gain unrestricted access to corporate networks and sensitive work information.
NOTE: This article has been altered to correct information that the sites above could only be accessed "once a confirmation has been sent". The databases can be checked without a confirmation.