The hugely successful Ashley Madison matchmaking site for adulterers, founded 2001, markets safe and easy anonymous affairs (“Over 38,920,000 anonymous members!”). Bloomberg reports
The site is unapologetic about the nature of its services, arguing that it has even strengthened some marriages. “We’ve had stories from members that we’ve returned love to the marital bed and made others realize the grass is not greener on the other side,” [international relations head Christoph] Kraemer said.
The site’s slogan is “Life is short. Have an affair.” Many have agreed; Toronto-based parent company Avid Life Media enjoyed 45 percent sales growth last year and a profit of 20–25 percent, according to company sources.
But thanks to one of the biggest hacks ever, many such users’ lives may well get shorter—or at least unhappier.
The site makes money—to the tune of $115 million in sales last year, four times that of 2009—by charging men for credits, which they then use for introductions to women. It claims to be the second largest dating site after Match.com (which does not accommodate married people) and to have 36 million members in 46 countries, with the United States accounting for half of its business.
We’ll let the Economist lead off on the data disaster in “An affair to remember”:
Its home page shows a woman holding a finger to her lips. So much for promising to keep secrets. Last month a group of hackers called Impact Team stole the site’s user database and transaction history going back to 2007, and this week they released it online: more than 30m users’ names, addresses and personal details, along with GPS co-ordinates and sexual preferences.
As easy search websites spring up to make public access easier, members find their previously secret sexual fantasies and activities revealed to any who care.
How big and deep was the hack? From The Verge, we learn how much personal/private information was stored, collected between 2008 and 2015, now accessible just by knowing the person’s e-mail address: Name, nickname, street address, up to three phone numbers, sex (approximately 27 million said they were male, 4.4 million said they were female (6:1) ratio, 2 million unknown). Oh, and weight, height, birth date, ethnicity, body type, use of alcohol or cigarettes, and captions such as Profile caption (examples include “No Games Please.” and “I May Be Spoken 4 But I Speak 4 Myself”). The data include sexually explicit chat logs, for example. And, incidentally, the last four digits of the member’s credit card number.
In its raw state (massive downloadable archives), the Awl notes that the data dump, is not easy to navigate. But savvy users search for government, corporate, and academic e-mail addresses first.
For example, reporter Haley Ritchie notes in an Ottawa newspaper that “More than 500 Government of Canada email accounts contained within cache, all based in so-called infidelity capital.”
There are at least 543 users registered with emails that end in “gc.ca,” an extension used by federal government departments or agencies. Of that number, 17 end in parl.gc.ca – an extension for those in the parliamentary precinct. More.
Here are the Canadian cities with, allegedly, highest percentage of accounts (but see caveats below).
So why did Impact Team do it? They claimed to be morally offended by the site, and demanded it be taken down on those grounds (“learn your lesson and make amends”). They also demanded the demise of another Avid Life Media website, Established Men, a site that connects young women with “successful and generous benefactors to fulfill their lifestyle needs,” aka sugar daddies (probably married).
When Avid refused the demand, the hackers released all the data.
The Impact Team attached a statement to its torrent file during the leak, claiming that because the site remains online, the privacy of its customers now suffers. “Avid Life Media has failed to take down Ashley Madison and Established Men,” it reads. “We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data.”
Keep in mind the site is a scam with thousands of fake female profiles. See ashley madison fake profile lawsuit; 90-95% of actual users are male. … Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages. Then move on with your life. Learn your lesson and make amends. Embarrassing now, but you’ll get over it.
Avid admitted to the hack July 20, but hasn’t confirmed that the data is theirs. However, experienced observers believe it to be.
It’s not hard to see how Ashley Madison became a target. Tim B. Lee at Vox explains,
It has traded on its notoriety to attract customers. In 2009 Ashley Madison tried to buy a television ad during the Super Bowl, but the offer was rejected. But the rejection itself got a lot of press, and the ad wound up getting more than a million pageviews on YouTube. The company also sought to purchase naming rights for the Meadowlands stadium, where the New York Giants and Jets play, but was rebuffed.
Many find Impact Team’s claimed moral motive hard to square with the mass data dump. As the Economist points out, a person could sign up and then just not have an affair. Many of the addresses may be fake (users were not asked to verify). A user could merely have the same name as or sound like someone in our community. And some accounts may be smear attempts.
Indeed, as the Economist notes, the grudge may have been an economic one. Men must pay, and apart from the disproportion between men and women, many female profiles may be fakes (see also: click farms).
Avid claims that female membership is growing 10 percent faster than male, and that in the core 30 to 45 age group, the ratio is 50:50.
Plus, the hackers claim, although the company charged $20 to delete all data, a service that brought in $1.7mm in 2014, key information was not in fact deleted:
Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.
Avid disputes that claim, but at any rate, it’s all public now. Apparently, the firm is trying to make amends by currently deleting data for free.
And maybe, for Impact Team, there was also just the thrill of the hack.
Most data hacks have little long-term impact because, for business reasons, banks and credit card companies absorb the losses. Even if private data is disclosed, scandals may amount to embarrassing but inconsequential fiddles, such as that an elected official has put $150 a week on her expense account for day care for her dog. If she just resigns from public life, there is little emotional trauma to others.
But not this time. As the Awl puts it,
The Ashley Madison hack is in some ways the first large scale real hack, in the popular, your-secrets-are-now-public sense of the word. It is plausible—likely?—that you will know someone in or affected by this dump.
So the firm was seeking to sell $200 million in shares in Europe, focusing on London. “Europe is the only region where we have a real chance of doing an IPO,” the company told Bloomberg, because Europeans are more liberal about adultery. But maybe not so liberal about the hack? The firm was targeting Eastern Asia to provide 50-60 percent of sales by 2020 as well. Maybe not so much now.
Avid is, for now, adopting the high moral ground:
The criminal, or criminals, involved in this act have appointed themselves as the moral judge, juror, and executioner, seeing fit to impose a personal notion of virtue on all of society. We will not sit idly by and allow these thieves to force their personal ideology on citizens around the world…
The company also denies that present or past users’ “full” credit card information was stolen.
A class action lawsuit is said to be in the works in both Missouri and Canada. The Missouri plaintiff had apparently paid $19 to have her information deleted, without success. In any event, no trial has been held and no verdict has been reached.
Note: The 9.69 million transactions logged include repeat customers. Informed sources give the probable number of accounts as 32 million.
1. Our first reaction should not be, “Serves them right!” After all, one’s family doctor’s practice could be similarly hacked. The hackers could even hang on to the data, say nothing, but use it later. At least some good will come of this debacle if Internet security becomes a greater priority for everyone.
2. The victims of the Ashley Madison hack will include children of ensuing marriage breakups, whose statistical chances in life are poorer. They may also include people living in countries where adultery is punishable by death (see vid below). What makes fallout so destructive is that it is indiscriminate. The hackers must have known that, which is why it is hard to square their actions with moralizing claims.
3. Anyone who believes anything the parent company says should put their affairs in the hands of a trustee before worse follows. The firm was built on deception, so any given statement should be presumed false unless verified by independent sources.
4. It would be good if a private investigator were to secure and publish the names of the company’s investors. Fair is fair.
5. Above, I wrote: “And maybe, for Impact Team, it was also just the thrill of the hack.” Yes, but security firms have been known to pay hackers well to reveal their secrets. This might be a business opportunity for the hackers, never mind moral zealotry, vengeance, or fun.
6. I hope the public share rollout in Europe flops big time, as it did in Canada. In this case, I have good grounds for hope; Avid will be years dealing with the legal ramifications, let alone the customer mistrust.
Next: How the Ashley Madison hack will affect the Internet dating scene.
See also: Summary links at Vox.
Denyse O’Leary is a Canadian journalist, author, and blogger.