Even the genuine hack data appears to contain large amounts of fake information, say experts
Ashley Madison parent company Avid Life Media (ALM), security experts and the hackers themselves have warned that much of the data released online related to the attack on the Toronto-based dating service should be treated with scepticism.
The warnings come as reports emerged that the data contains the personal details of civil servants and Ministry of Defence staff.
Over the past four weeks, a large number of data dumps claiming to have been stolen from ALM have appeared online, but the majority are fakes intended to cash in on the attention paid to the initial data breach a month ago, according to ALM.
“There has been a substantial amount of postings since the initial posting, the vast majority of which have contained data unrelated to AshleyMadison.com, but there has also been some data released that is legitimate,” the company said in a statement.
Security experts have verified that one cache in particular, amounting to about 10 GB of compressed data and published earlier this week, does indeed seem to consist of data stolen from ALM’s internal servers.
In a message accompanying this cache, the hackers agreed with ALM that the majority of data pretending to derive from the original hack was “fake”. The person or persons using the name “Impact Team” provided a PGP signature that could be used for authenticating the real data.
But even that data appears to contain a large amount of false user information, due to the fact that AshleyMadison.com doesn’t enforce email verification, meaning that a user can create an account with someone else’s email address, security experts said.
SNP MP Michelle Thomson said her email address was found in the data cache, but the address was out of date and she said it seemed to have been harvested by a third party.
“Keep in mind the site is a scam with thousands of fake female profiles,” Impact Team said in its statement.
Many of the site’s genuine users are likely to have created profiles with fake information,due to the adultery-oriented nature of the site, according to industry observers.
“The majority of ‘real’ account holders tend to use fake, throw-away data and details, for obvious reasons,” said Tod Beardsley, security engineering manager at IT security firm Rapid7. “Even if the real data is a real person, and that person really registered for the site, there is no indication in the data if that person was successful at, or even intending to, pursue an illicit affair.”
While ALM promotes Ashley Madison as a way to arrange extramarital affairs, the site also offers standard dating services for single people.
Government email addresses
The cache contains email addresses linked to 1.2 million Britons, including 124 civil servants, 92 Ministry of Defence staff, around 50 police officers, 56 NHS workers, 65 local education and school staff and 1,1716 people at universities and further education colleges, according to The Telegraph.
Two of the emails are linked to workers at the secret Defence Science and Technology Laboratory, which develops chemical, biological and radiological weapons, the paper said.
In some cases staff may have used work email accounts to access the site, but many of the addresses seem to have been obtained and used by third parties, highlighting a security risk of another kind, according to the paper.
“If, as looks possible, government email accounts in what should be secure departments are this vulnerable to being hacked or impersonated that raises its own serious security issues,” Tim Loughton MP, a member of the Home Affairs select committee, told the paper.
Are you a security pro? Try our quiz!