Don’t judge Ashley Madison users too quickly, their accounts may be fake

Per thorsheim
Per Thorsheim
@
@thorsheim

Ashley MadisonSo Ashley Madison got hacked. A service claiming 37 million members, owned and operated by Avid Dating life Inc, who also run the “Cougar Life” and “Established Men” websites.

The one thing that sets this hack apart from other dating services getting hacked, is that the Ashley Madison slogan is “Life is short. Have an affair.” They have even ® registered that phrase!

Even with the slogan, it is still very much a dating site. You can flag yourself as being single, looking for a long-term relationship. You can search for single people only if you prefer. Nobody seemed to care about that when the news emerged that the site had been hacked.

In almost all breaches that becomes public, the service provider getting hacked takes a heavy beating in the media. Twitter acts as the biggest howling wolf pack ever, with other social media channels sharing and liking the news. Yes, I’ve joined the choir many times myself against service providers.

Sign up to our free newsletter.
Security news, advice, and tips.

But in the case of Ashley Madison, the majority of news articles seem to focus on “Well, if you have an account with a cheating service like Ashley Madison, expect no sympathy from us you deceiving bugger”.

Not much word about the service provider, their security or lack of it.

Oh no, we’re pointing our index finger at all the registered users of Ashley Madison collectively. Even noted security reporter Brian Krebs calls Ashley Madison an “online cheating site” in his article. Do not judge the book by its cover, Brian.

As soon as I read about the breach on Twitter, I tweeted this:

I tweeted that, because I knew something about Ashley Madison’s service that most people, including registered users, probably didn’t know:

Ashley Madison didn’t do any kind of email / ownership verification for new accounts.

Provide a fake email to Ashley Madison, get started with all free features immediately.

Yes, the really quick way to build a user base; a minimum of effort needed to get started.

I knew of other security design weaknesses as well, but I kept my mouth shut in public about it.

Then suddenly, The Intercept tweets this:

I read the story, and to my horror the article reveals that anyone can create an account using your email and get started using it, no account verification needed.

They also call the account deletion business practices of Ashley Madison “extortion”, since you have to pay money to have an account removed.

Yes, that’s correct. You can create an account for free, but it is completely unusable until you pay for membership. You can hide the account from anyone you haven’t made contact with online for free. But if you want to actually delete the account and all associated data, you have to pay money – $19.00 if you’re American.

It seems like Ashley Madison have changed that now. A good move, and I would just assume they couldn’t do anything else after the massive amount of bad publicity they got.

Now here’s the important part, returning to my initial comment about the breach:

The leaked data, if it ever appears in public, doesn’t prove anything.

The free account essentially cannot be used for contacting or communicating with anyone else. Even if your credit card information shows you paid for an account, there is still no proof of you doing anything illegal according to law.

The only thing left are rumors. The kind of rumors that can ruin pretty much anyone’s life for a long, long time.

Ashley Madison billboard


In November 2011, a dating service forum in Norway got hacked.

The site was known for also connecting buyers with “suppliers” of sexual services. A business which is illegal in Norway.

Approximately 26,000 users got their full names, emails, phone numbers etc exposed.

The media anonymously interviewed people who claimed to have done nothing wrong, but were considering suicide because of the attention they received from colleagues, friends and family.

I spent the days before Christmas talking to managers of some of those named on how to handle the situation. That Christmas became a nightmare for many based on rumors alone…

Four young men were charged and convicted for the hack, and sentenced to 30-57 hours of community service. The user list will probably never disappear from the internet.

Further reading:


Per Thorsheim is an independent security adviser based in Bergen, Norway. He told the world about the Linkedin breach in June 2012. As well as running his blog, he is the founder and main organizer of Passwordscon, a conference devoted to passwords, which has been his main interest for 13+ years. He is also proud to be certified CISA, CISM and CISSP-ISSAP.

33 comments on “Don’t judge Ashley Madison users too quickly, their accounts may be fake”

  1. Stephen Cobb

    Excellent post Per, there is often a lot more to this type of incident than gets reported in the headline hungry world of online "journalism". And the subscriber-hungry Ashley Madison business model, with its utterly ridiculous "pay to remove" scam was, by some accounts, what sparked this hack in the first place. Requiring somebody to pay to remove their information from an online service would seem to violate the core principles of privacy.

    As for the moral outrage that was expressed in such volume, I find it just a little scary. There are now over 700 comments on Brian Krebs original story, many of them expressing a moral righteousness that is surprisingly pharasaic, not to mention confusing, given how many affairs the rich and famous have, apparently with little reputational risk or lasting brand damage.

    On a practical note, I echo your advice to companies. In a webinar last week I suggested that organizations brief staff on this breach and let people know that they can report any blackmail attempts discreetly and without judgment.

    As you point out – it is far from a joke, it could be a matter of life or death.

  2. Penelope

    Suicide is an option – and coupled with the stress of everything surrounding people's lives, the public humiliation that can ensue for those people's families may drive people to do unspeakable things.

    It's easy for people to judge, but every situation isn't so cut and dry.

    1. Kell Brigan · in reply to Penelope

      Why shouldn't anyone who's ever committed adultery finish the job and commit suicide? At least that way, they're not taking their spouses and kids down with them. They're adulterers, so we know they're barely alive anyway. Sorry, but anyone who's ever, in any way, logged on to Asshole Madison deserves what they get.

      1. steve · in reply to Kell Brigan

        I know you will suffer in the future. I hope to witness it, and then kick you in the nuts

  3. Coyote

    While I didn't know that they had no verification, I want to thank you for putting that note up; because you're right, it could lead to suicide.

    And given that I was very suicidal for a long time, barely making it (and I won't elaborate beyond), I especially appreciate the message, because it is a serious issue and something that far too many don't understand.

    Thanks for bringing it up; there is a serious lack of awareness with mental health in this world, and this is even more important when you consider the context here (after all, affairs can ruin lives without that complication, and even if the account is real, there is also the victim of the affair that could be at risk of suicide).

  4. Per Thorsheim

    Thank you so much for the comments Stephen, Penelope & Coyote!

    A followup is in the making, there are more to raise awareness about in the context I'm afraid.

    Best regards,
    Per

  5. Jim

    I cannot understand how anybody would complain about Ashley Madison's $19 fee as extortion in the aftermath of this hack. There is clear extortion here – and it is from the hackers making demands of the owners' of the web site. I think that those who publish (or even spread) names purported to be users of the site should be criminally responsible for the results of their actions.

    1. Kell Brigan · in reply to Jim

      And, then, the abandoned wives and kids can fucking sue the Asshole Madison assholes… You really want pity for LIARS????? Screw 'em, fire 'em, sue 'em, divorce 'em, make then spend the rest of their lives longing for fucking death. My only regret is that they didn't print the card numbers so people could ID theft these fucked up son of a bitch bastard asshole lying, kid-abandoning, misogynist dickwads into absolute, life-long bankruptcy.

      1. fred · in reply to Kell Brigan

        why? why did someone sign up in the first place? they were not satisfied in their marriage… Sex for many women is not enjoyable. but for men it is paramount. when the women "aren't interested" the men are frustrated. i would bet any "cheater" would be happy to have sex with his wife. but she doesn't like it, for whatever reason. So after while, the unthinkable becomes thinkable…

      2. Tanya · in reply to Kell Brigan

        Wow Kell, must be nice to be so holier than thou..Never made a mistake in your life or been in a bad place and made a bad decision?? Must be nice to be you..So perfect..Please tell us what is your secret?? You must live a sad life as you want to get pleasure from other peoples pain..I hope things turn around for you and you can find the peace and happiness you are so lacking in your life..

        1. Dana · in reply to Tanya

          Sad, really, that Kell can't express him/herself without the use of vulgarities.

  6. YourNameHere

    With a Visa gift card, a man can create a paid AshMad account and use any name, address desired for the initial billing part. The username and email are also typically fake. Point is anyone can create an AshMad account using another's name, address (or fake name, address). Some idiots may have used real name, address with actual credit card and/or real email. My point is the leaked data may or may not be credible. Although, pictures may be hard to explain…

  7. CP

    This is one of the more intelligent posts I've read about the hack. Plenty of people also may just have been curious about the site, or they could be one of the ~5% of people who are in open relationships but don't want their business spread out in front of judgmental coworkers and acquaintances. Or even if people ARE cheating, relationships are complicated — even THEN people don't deserve to have their business plastered over the web. Many of the gleeful people on Twitter are hypocrites. Plenty of them are cheating too — maybe just not on Ashley Madison.

    Please keep writing about this.

  8. ghost

    good article, I had an ex girlfriend who tried to "sign" me up for sites like this after we broke up, even using my picture to prove it was me. It got to the point I had to change my email address's and get the police involved. I truly hope people take all this with a grain of salt.

    1. Rhinob · in reply to ghost

      I'm on this list and never used it. My friend has 3 of email addresses on there. Sounds like the damage will snare a lot of innocents…

  9. Kell Brigan

    ANYONE who has anything to do with Asshole Madison is an asshole. If they're "single" and "looking for a relationship" on Asshole Madison, they're a really, really stupid asshole. Just paint "I hate women that aren't made of plastic" on your forehead and save yourself a few hundred bucks.

    1. Kell Brigan · in reply to Kell Brigan

      You have not mentioned that anyone stupid and degenerate enough to think they can get a "relationship" on Asshole Madison is also ENABLING THE DESTRUCTION OF FAMILIES. Anyone who is any way supports or enables Asshole Madison deserves to go down in flames for all the kids and spouses they've helped maim with their "subscriptions." FUCK EM. No pity here.

      1. heavystarch · in reply to Kell Brigan

        So you think that every relationship is built of gold and pixy dust? All rainbows and happy? There are many relationships that are broken and spouses feel trapped. They may or may not have kids. They may have an unloving spouse. To cast your judgement in such broad strokes is ridiculously unfair.

        Not only that you're angry at AM users who are "ENABLING THE DESTRUCTION OF FAMILIES". Isn't this leak going to enable the destruction of a lot of families? Are you not mad at the Impact Team that publicly released the private data which may lead to the eventual break up of these families.

        You've replied with such vitriol to many posts on here it seems you have an axe to grind with someone personally. Were you cheated on in you life?

        I've been cheated on and cheated on others. It's not always black and white these human relationships. None of us are perfect and many times too immature to properly be in a grown relationship.

      2. Rhinob · in reply to Kell Brigan

        I'm on this list and never used it. My friend has 3 of email addresses on there. Sounds like the damage will snare a lot of innocents…..or does this list actually sound credible to you?

    2. Rhinob · in reply to Kell Brigan

      I'm on this list and never used it. My friend has 3 of email addresses on there. Sounds like the damage will snare a lot of innocents…..or does this list actually sound credible to you?

  10. suss

    everywhere is going on about this list but where is it so i can check if there is anyone i know

  11. AngryEX

    I created an account to check on my NOW EX when we were together. After catching his profile expressing he was not single and the need for secrecy, I THOUGHT my account was deleted. Apparently not.

  12. Krysium

    YEs it proves nothing, you didnt actually go through with it, just like hiring a hitman doesn't PROVE you would have actually made them go through with the hit. Or that buying 5kilos of crack doesn't mean you were going to flush it down the toilet as you realized just how bad it was and turned your life around:)
    What it does mean is you were interested and willing to post your contact information on a website intended to help people cheat on their spouses. You cannot be trusted in a relationship (you have someone elses heart, and if you have kids, families that have taken you in and accepted you) and I believe cheating dirtbags cannot be trusted in other aspects of their lives.
    I wouldn't vote for a politician who cheats as they could be blackmailed. I wouldnt trust someone to work for me in business, if they turn on their spouse on a whim then who is to say they wont turn on me. Anyone who throws a promise, their honor, out the window for a fling, who psychologically endangers their kids, who tears nuclear and extended families apart resulting in years of emotional anguish for their own selfish pleasures is not to be trusted with something important.

    Character and reputation make a man. Guard yours well. You can do something right 1000 times, but one time doing something this idiotic, and you deserve the bad rep. I survived 100 hour work weeks with my spouse in residency while i was in grad school and teaching, with kids one of whom was cholicky. If I can survive that without cheating then you can live without your ashley madison account or be known for the weak willed fool that you are

    1. heavystarch · in reply to Krysium

      So you wish to brand these "fools" with a scarlet letter AM? Is there any nuance to these situations? Is there no sympathy for those individuals caught in loveless relationships where they feel compelled to find "love" in other avenues? It's wonderful that you were able to survive 100hr work weeks with your spouse in residency and a child with colic. Bravo! You deserve a medal! Was your spouse loving, supportive and committed to you in those difficult times? If you answer yes then your high horse holier than thou attitude is just that…self righteous bullshit.

      What if you have been married 10 or 20 years. Your spouse hates you and there is no love in the relationship. You have a few kids and that is the only reason you remain together. One desperate day to find love or some kind of romantic outlet you create an account on AM. You're not here because you want some "fling" or "hookup" but you're desperate to find something to fill that void?

      Do you even see where I'm going with this?

      Some of the posters on this site are so quick to judge others and put themselves on pedestals of self righteousness that they forget being human can be hard and we fail at times.

      So for the person who commits 1000 wonderful acts and fails at 1 act – that person should now be branded for life as a loathsome creature? Jesus Christ you're a mean spirited cunt.

    2. fred · in reply to Krysium

      well jesus, thank you for your comments, but I thought you might have better things to do..

  13. Onlooker Gets Caught

    I was a curious onlooker who just wanted to see what it was about, some years ago.

    Stupidly, I put my email in to see beyond the landing page. I was not that great of a site and
    I did nothing with it. Actually, part of my curiosity was about how a website was set up. Never used it to hook up or meet anyone, and never used the site more than once or twice.

    Never paid the site money either, but when I wanted to delete the account, they wanted money to do it. I thought that was A SCAM and refused to pay up and left it as is. Totally forgot about it – until this week. Have a marriage that is not perfect but a happy one. I love my wife dearly, always have, always will (20+ years and counting).

    To my horror, my email is on the list. So, you tell me … who's going to believe "I did nothing on it" defense? You'll get a 'yeah right'. Curiosity may kill more than the cat.

    Prematurely coming to conclusions is as destructive as anything.

    1. Fred · in reply to Onlooker Gets Caught

      Thank you. You are the only one who defends those who don't have a paid account but we're in there for a variety of reasons none of which were to cheat.

  14. Rhinob

    Thanks for this article. I'm somewhat frustrated about all this…..my email is there. 3 email addresses of a close friend as well. Neither of us ever used the site for anything so we're thinking this is a big example of legal welfare / extortion.

  15. Jay

    Has anyone considered ,that the betrayed spouse of an Ashley Madison User, might just decide to kill herself because her whole world just shattered? After all, she might just feel that her life has been a total lie, a waste of time, and that she is replaceable. The AM user could just remarry and give the kids a new mommy….until she gets wrinkles and grey hair and then discard her too. Will certainly give the children a sense of stability and security won't it? AM Users, hope it was worth it!

  16. Jay

    One last thought…email matched- check, name matched- check, address matched-check, credit card #'s matched – check, dick pictures matched (freckle!) – check, sexy chats between them that made me feel like my existence has been negated. Its hard to work full time, come home to the "second shift" (cooking, homework with kids/playtime, cleaning, bills, and find time to relax. Most of the time I feel dead on my feet, NOW THIS? To find out that 12 years of this? LIE- F – caring for babies, wearing tops with spit up on them, doctor visits, dentist, taxi them to sports, school events- you name it. Its all been for nothing- because his wife & kids mean nothing to him! I am spent, just want to lay down and die. All for nothing because I must be nothing in order to him in order for him to treat me this way. Working late,Business trips – MY ASS!

  17. Kate

    Ashley Madison DOES send you an email when you open an account. I can prove it with pictures. It sends you 2 emails. One email that says welcome to Ashley Madison, and a second email that says "permanently hide" to give you the option to permanently hide the emails.

    1. Graham CluleyGraham Cluley · in reply to Kate

      Don't forget that Ashley Madison sending an email to an address given to it by a user upon registration is different from Ashley Madison *verifying* that the email address belongs to the person who registered for the site.

      Sites which verify accounts typically send an email to the address the user gave asking them to click a link to *confirm* it was them who registered.

      Otherwise, you get scenarios where people can register with – say – Tony Blair's email address.

      http://www.independent.co.uk/life-style/gadgets-and-tech/news/ashley-madison-hack-live-email-verification-10461653.html

  18. Dana

    I'm on AshMad. Never heard of it until there was a fashion article talking about "what dating women are wearing". Talked about a survey of AshMad users and their preferred handbag and she designer. A pretty fluff piece. I'm single. I'm dating. I never heard of this site so I went to check it out. So instead of lurking in the traditional sites, folks who are in a relationship OR those who really aren't looking for a serious relationship hang out there.
    Today I received a "send me money or I'm telling the world you were on a dating site." threat email.
    BFD. Some of us really don't care.
    I feel sorry for Kell. Must be hard to carry on in life with a mind that won't open. Hard for the world to live in your Disney life. But then again, most of us come out of our basements and interact with real people on a day to day basis.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.