The ‘massive’ cache includes users’ personal details, as well as a wide range of internal corporate documents, researchers said
The hacker or hackers who published internal data stolen from adultery website Ashley Madison last month have released a much larger cache of data from the site, including details on users and executives and internal corporate documents, security researchers said.
“The database dump appears to be legitimate and contains usernames, passwords, credit card data, street addresses, full names, and much much more,” said TrustedSec researcher Dave Kennedy in a blog post. “So far, it looks like around 33 million usernames, first names, last names, street addresses, and more are impacted by this breach.”
Kennedy and other researchers confirmed that the cache amounts to about 10 gigabytes (GB) of compressed data.
“For folks that may not know, that is massive,” Kennedy wrote.
The release comes 30 days after the original publication of data, as originally promised by the unknown hackers, who refer to themselves as Impact Team. The attackers said last month they would release the data unless Ashley Madison and a similar site called Established Men were shut down by parent company Avid Life Media (ALM).
“We have explained the fraud, deceit, and stupidity of ALM and their members,” Impact Team wrote in a statement accompanying the data, according to security researchers. “Now everyone gets to see their data.”
Data contained in the cache indicates the most recent information dates from 11 July, or 10 days before the initial release.
The hackers were acting out of a misguided sense of morality, seeking to “impose a personal notion of virtue on all of society”, ALM said in a statement.
“These are illegitimate acts that have real consequences for innocent citizens who are simply going about their daily lives,” the Toronto-based company stated.
ALM said the US’ FBI, the Royal Canadian Mounted Police and local police are investigating the breach. It did not confirm that the published data was genuine, but said it was aware of the claim.
The company has said it believes the hackers were formerly connected to the company.
TrustedSec said the hackers appeared to have maintained access to ALM’s internal data for a considerable length of time.
“This is a massive data breach where attackers had full and maintained access to a large percentage of Ashley Madison’s organisation undetected for a long period of time,” TrustedSec’s Kennedy wrote.
He said the cache includes hashes of corporate passwords, corporate PayPal accounts and passwords, and internal documents such as maps of server infrastructure and organisational charts.
“This is much more problematic as it’s not just a database dump, this is a full-scale compromise of the entire company’s infrastructure including Windows domain and more,” he wrote.
Military email addresses
More than 15,000 of the email addresses are hosted on US governmenet or military servers using the .gov and .mil top-level domains, other researchers said.
The documents detail 9.6 million transactions and include 36 million email addresses, according to researchers. Websites have surfaced allowing users to search the database for their own email address, according to reports.
Microsoft security expert Troy Hunt said more than 1 million of the email addresses were linked to payment records.
Errata Security and security journalist Brian Krebs both said unnamed individual users had confirmed the last four digits of their credit cards were found in the cache.
The data also includes personal information on users, including their sexual preferences, according to researchers.
Are you a security pro? Try our quiz!