WASHINGTON -- The user data pillaged from affair website Ashley Madison and dumped onto the Internet appears to be the real deal, independent security experts said Wednesday. The website reportedly has as many as 37 million users, and gigabytes of names, addresses, credit card numbers and emails allegedly tied to the site were leaked onto the so-called "dark web" late Tuesday night.
"The debate about the authenticity of the Ashley Madison breach is as good as over," Troy Hunt, a developer and web security specialist who runs a website that helps people discover whether they've been victimized by a data breach, tweeted early Wednesday.
"It's entirely reasonable to assume that this data is legitimate unless it can be proven to the contrary," Hunt told The Huffington Post.
But Ashley Madison's former chief technology officer, Raja Bhatia, insisted that he and a team of international investigators have found no evidence that the data is authentic. Bhatia, who now consults for the company, told Brian Krebs, a former cybersecurity reporter at The Washington Post, that "on a daily basis, we’re seeing 30 to 80 different claimed dumps come online, and most of these dumps are entirely fake," in an interview late Tuesday. Bhatia said, for example, that his company had never stored credit card information, which is present in the latest leak.
"I'm still resolute with my initial assessment," Bhatia told HuffPost early Wednesday morning, noting that it is an "ongoing process."
Hunt, the web security expert, told HuffPost that "it’s not unusual for an organization to deny the legitimacy of a data breach. But it won’t take long for that position to change if impacted customers continue to report evidence of their data turning up in it."
Krebs, who first broke the story of the hack on July 19 and interviewed Bhatia Tuesday night, initially said he had no idea if the dump was legitimate. Later that night, he wrote that the evidence was hard to deny and that he had spoken with "three vouched sources" who confirmed their information was included in the data dump. "There is every indication this dump is the real deal," Krebs wrote.
The sources Krebs spoke to claimed that personal information, including the last four digits of their credit card numbers, was included in this latest leak. Per Thorsheim, the founder and main organizer of Passwordscon, a passwords conference, also wrote that he found "several other accounts that I know" that were not found in other known breaches. He claimed an anonymous source who confirmed that his credit card data found in the dump was correct. Sam Biddle, a reporter for Gawker, tweeted that an email he once used to log in to the site for a reporting project was also included in the leak.
Some may question the value of the Ashley Madison data. It's been widely reported that Ashley Madison did not verify the email addresses of people who signed up. In theory, an individual's address could pop up in the data dump even if that person never actually signed up for an account -- someone else could have signed up using their email. The credit card numbers, names, and home address data included in the hack -- if accurate -- could be much more damaging. But just because someone signed up Ashley Madison doesn't mean they used the service. Some users' spouses may have known they used the site.
But Ashley Madison's records could nevertheless damage the reputations of politicians and public figures, not to mention ordinary people. "There could be genuine casualties as a result" of the leak, Graham Cluley, an independent security analyst, wrote in a blog post on Tuesday. "I mean suicide."
Need help? In the U.S., call 1-800-273-8255 for the National Suicide Prevention Lifeline.