How the Ashley Madison leak spread across the web

By Kashmir Hill | August 24, 2015 | 8:47pm

Latest

Last month, a group calling itself the “Impact Team” announced that it had hacked Avid Life Media, the parent company of infidelity dating site Ashley Madison, and stolen the company’s financial and membership records. But by the time security blogger Brian Krebs broke the news of the hack, the documents that had been leaked had already been removed from the web — thanks, it seems, to Ashley Madison making copyright claims on the information.

But last week, all of the hacked documents came gushing back onto the web. This time, the hackers were smarter. They shared their haul on peer-to-peer torrent networks rather than on a central website, meaning that Ashley Madison couldn’t use a legal process (or anything, really) to stop their spread.

Most Popular

The size of the Ashley Madison leak — nearly 30 gigabytes, in two parts — and the need to download it from a torrent network made it unwieldy for the average internet user to access. But that didn’t matter, because almost immediately after the leak, programmers who likely had no relation to the original hackers had built tools to make the data easily searchable. These tools — including a torrent-pointing onion site, and two search engines called ashley.cynic.al and checkashleymadison.com— were what allowed the general public to search through the secrets of millions of Ashley Madison users, looking for their spouses, co-workers, or friends.

The key players in making the Ashley Madison leak accessible to the masses have thus far remained anonymous because of the legal dangers around being involved in making stolen corporate data easier to access. But they were willing to speak to me pseudonymously. This is an explanation of how the raw data from Ashley Madison’s servers wound up at the world’s fingertips.

On July 12, “The Impact Team” announced that it had hacked Avid Life Media’s servers and stolen massive amounts of information. The hackers demanded that the company shut down two of its dating sites: Ashley Madison, which caters to married people seeking affairs, and Established Men, which aims at rich men seeking young, beautiful women. “Shutting down AM and EM will cost you, but non-compliance will cost you more,” said the hackers in a message left on company computers. In an interview with Vice, a group representative declined to say how the infidelity dating site was breached, saying only that the hackers “worked hard to make fully undetectable attack, then got in and found nothing to bypass,” and that the hack started “a long time ago.”

Once the company’s information was siphoned off its network, and after the company refused to take its sites down, the hackers wanted to make good on their threat. On July 19, according to police, they posted the information of two Ashley Madison users online, but Ashley Madison was able to get the information taken down using a DMCA (Digital Millennium Copyright Act) notice.

So, more than a week ago, by the accounts of those who first saw it, the hackers uploaded (or “seeded”) the documents on a torrent network, so that documents could be shared between and downloaded from other people’s computers without the risk of a DMCA takedown.

At the beginning of last week, the torrent of leaked documents appeared for the first time on a site accessible only to users of Tor, the anonymous web browser. The site identified itself as belonging to “Quantum Magazine.” It included a “Time’s Up” message from the hackers and a direct link to the torrent file that allowed people to start downloading Ashley Madison’s member files from a peer-to-peer network.

“We are not Impact Team, in case that wasn’t clear,” said a note on the site. “Please use this data responsibly.”

I sent an encrypted email to the person running the Quantum Magazine site, who goes by Quantum7765.

“I came across the Ashley Madison data over the weekend through some paste-bins on Tor,” the administrator said by email. “There have been a few fakes floating around so I took the time to look it over and saw that it had a proper PGP signature on it. When i started downloading the raw data from the torrent i saw there were about 1 person seeding (someone who has 100% of the torrent) and about 3 people downloading so it was pretty close to the initial release as you can get.”

That one person who was “seeding,” or uploading, the Ashley Madison documents for others to download, may well have been The Impact Team.

Quantum decided to make sure other people could get access to Ashley Madison’s data. He said he hoped they would learn a lesson from it: “to protect their privacy and their data and not to trust someone else with it blindly.”

The message didn’t include the key and the torrent file was base64 encoded, so i put together a little page on my website that had all of this in an easy to read and access format.

Then i put out a few notices on some tor sites and waited. Had some light traffic from it but nothing really major. I was surprised after a day or two that it had not hit the news at all but eventually someone took notice (8chan’s /pol/ board i think) and posted the find and the address on twitter.

From there it just exploded.

Taking advantage of the influx of visitors, Quantum published the first issue of the promised “Quantum Magazine” a day after the hack. It was a page of text, with articles about cryptography and how Stingrays track phones. The magazine has no apparent history. A science and math magazine that went under the name Quantum was published from 1990 to 2001, but the two appear unrelated.

Quantum’s administrator said that the magazine is intended to teach people about security so they can protect themselves. “Its shocking how many people don’t take their privacy seriously and are willing to trust almost anyone or any company without really checking to see or using tools to further protect themselves,” wrote the administrator by email.

“Ironically, the leaked data is the perfect example of what I’m talking about.”

Thanks to Quantum Magazine, it was now much easier to get access to the Ashley Madison data. But you still had to use a Tor browser to get to the hidden services site, and then use a torrent client in order to download the documents. Then, once you’d downloaded the monster data dump, you had to sort through thousands of individual files full of membership records to find the name, or names, you were looking for. That’s not easy for the casual user. (“I have downloaded the data but I can’t really make any sense of it, or in fact can’t even open some of it up as its too large,” complained one user.)

That’s where a man who goes by “Rufo” on Twitter came in. On Tuesday morning, Eastern time, a friend sent Rufo a link to Quantum Magazine’s site, and he downloaded the torrent. At the time there were 15 other people downloading it, he said. Later that afternoon, the number exploded as the link circulated on Twitter and news media got wind of the existence, with Wired‘s Kim Zetter breaking the story of the information’s availability that evening.

“The file with the Ashley Madison account information is in a SQL database export,” Rufo told me in a Twitter DM. “Rather than importing this data directly, I searched the file for things that looked like email addresses — an @ sign with a run of plausible characters on either side — and saved the results to a separate file.”

There were 35 million email addresses in the Ashley Madison file, which was far more than a text editor’s “find” function can cope with. But two years earlier, Rufo had written a program to process a massive list of email addresses after the Adobe password breach, and he had created a site to allow people to check to see whether they’d been part of that breach.

“So I used the same processing method this time, and was able to reuse some of the old search code I wrote,” he said. “This is how I was able to get the site up so quickly.”

He explains:

I converted the list of emails into a data structure called a bloom filter, which allows you to search its contents very efficiently (bloom filters have a very low false-positive rate vs the amount of memory they occupy). This process required turning each email address in the list into a series of cryptographic hashes. When someone types their email address into the website, it is these hashes that are searched.

He then hosted his program at ashley.cynic.al. And people started visiting in droves to check email addresses. As of Friday, two days after his site went live, it has been visited by over 1.3 million people who have performed nearly 8 million searches.

People who ran a similar site called checkashleymadison.com took their site offline last week after receiving a notice from Ashley Madison claiming copyright violations in the hosting of the company’s “copyrighted” data, which is an effective tactic. (Though it may be an illegal one since Madison hasn’t actually filed a copyright application to cover its internal data. And it wouldn’t likely be granted one if it did — copyrights are meant for intellectual property, not business records.)

On Monday, Rufo finally got a DMCA notice, which he posted to Pastebin, but he does not plan to immediately comply.

On Monday, the Toronto police and the U.S. Department of Homeland Security announced that they’re cooperating on the Ashley Madison investigation, and that the FBI is “taking the lead on the network intrusion investigation.”

Meanwhile, the searches on ashley.cynic.al are still coming, at a rate of thousands of searches per hour. And all over the world, the fallout continues. People who considered themselves happily married are now miserable. Divorce lawyers are circling, as are class action lawyers. Police say that two unconfirmed reports of suicides have been linked to the leak. Extortionists are targeting people exposed by the hack, saying they’ll expose them to family and friends unless they pay up in Bitcoin. Journalists have started combing through the hack for government officials, lawyers, bankers, and “famous people.” The Pentagon is looking through the hack for military users, noting that adultery can be a criminal offense under military law. Thousands of users that appear to be from Saudi Arabia were found in the database; adultery is a crime punishable by death there.

Had an anonymous band of programmers not stepped in to build tools to make this information easily accessible, the secrets from Ashley Madison’s hack may never have been unlocked, except by the most skilled searchers. It might have remained on the Dark Web, a batch of terrible secrets that you would never have had to think about discovering. The information would certainly have been combed over by journalists looking for newsworthy users and by extortionists seeking to blackmail those exposed, but not casually by people’s neighbors and co-workers.

But this is the nature of modern hacks. An inscrutable data dump draws in helpful technologists who want everyone to have access to information, not just sophisticated computer users. Their tools, in turn, attract rubberneckers who can’t help but peek. In the future, other big hacks will almost certainly follow the same pattern. First comes the leak. Then, the tools to parse it. Then, the panic.