Ashley Madison recently had a really bad day. In the off chance that you haven’t heard about it, Ashley Madison’s entire internal network got popped and the attackers leaked around 10GB of compressed data to the Intertubez.

Plenty of sites have articles detailing “what was leaked,” yet I found nothing that described the actual contents of the leak. Not finding what I was looking for, I took it upon myself to put together a writeup on the leak’s contents. What follows is a rundown of what is in the leak, followed by some statistical analysis of interesting data points found within.

NOTE – I just found out that there was a SECOND Ashley Madison leak. Oh joy.

Leak Contents

The leak is approximately 10GB large and contains the following files:

  • 3109 bytes – 74ABAA38.txt
  • 290470928 bytes – CreditCardTransactions.7z
  • 836 bytes – CreditCardTransactions.7z.asc
  • 1186 bytes – README
  • 836 bytes – README.asc
  • 2790169413 bytes – am_am.dump.gz
  • 836 bytes – am_am.dump.gz.asc
  • 3259437017 bytes – aminno_member.dump.gz.asc
  • 836 bytes – aminno_member.dump.gz.asc
  • 459823881 bytes – aminno_member_email.dump.gz
  • 836 bytes – aminno_member_email.dump.gz.asc
  • 37796243 bytes – ashleymadisondump.7z
  • 836 bytes – ashleymadisondump.7z.asc
  • 738017001 bytes – member_details.dump.gz
  • 836 bytes – member_details.dump.gz.asc
  • 2832373259 bytes – member_login.dump.gz
  • 836 bytes – member_login.dump.gz.asc

In no particular order, here are the items in the leak that I found to be interesting with my background.

Files Found in ashleymadisondump.7z

  • An Excel sheet that contains all of the domain names registered by Avid Life Media (ALM). There are a total of 1,084 domains registered by ALM, and each domain is tagged with some small indicator as to why ALM owns the domain. For instance, ALM owns recoveringfromanextramaritalaffair.com, cheatcatcher.org, and catchahusbandcheating.com for the purpose of “SEO Redirect.”
  • Information about the internal structure of the Ashley Madison organization (floor plans, employee names, organization charts, articles of incorporation, compensation amounts, and loan agreements).
  • An NDA and a valuation document which appear to show that ALM was going to acquire two other dating sites.
  • Paypal account information (email adresses and passwords) for the main accounts used by the various ALM holdings.
  • What looks like a DNS zone transfer of the ALMCLUSTER ALM internal domain.
  • A dump of all of the NTLM hashes used in the ALMCLUSTER ALM internal domain (1,324 records).
  • What looks like a DNS zone transfer of the AVIDLIFEMEDIA ALM internal domain.
  • A dump of all of the NTLM hashes used in the AVIDLIFEMEDIA ALM internal domain (300 records).
  • A dump of the database used for the Swappernet QA site. While this database is only used for QA, it appears that the database’s contents were pulled from production. Because of this, there are 765,606 plaintext passwords that may or may not work for Swappernet production accounts. Fortunately there is not enough information contained within this file to map to any production accounts.
  • An internal presentation on how ALM generates revenue, the state of the company, etc. This presentation comes with pictures like this:
Ashley Madison's cheating justification
Ashley Madison’s cheating justification
  • A document listing the areas of concern that ALM had for customer data (Areas of concern – customer data.docx). Amongst these areas of concern were (1) a data leak resulting in a class action lawsuit against us, (2) code bug resulting in remote code execution exposing customer data (sql dump), and (3) web app remote code exploit in our codebase resulting in a man-in-the-middle attack where a hacker gains access to our customer’s billing/credit card information. There are plenty more areas of concern listed in this file, and to their ALM’s credit these concerns were well founded.
  • Last four digits of credit cards used for online transactions alongside all of the other information necessary for completing the transaction (CCV number, street address).
  • A README.txt file containing a personal message from the Impact Team:

Avid Life Media runs Ashley Madison, the internet’s #1 cheating site, for people who are married or in a relationship to have an affair. ALM also runs Established Men, a prostitution/human trafficking website for rich men to pay for sex, as well as cougar life, a dating website for cougars, man crunch, a site for gay dating, swappernet for swingers, and the big and the beautiful, for overweight dating.

Trevor, ALM’s CTO once said “Protection of personal information” was his biggest “critical success factors” and “I would hate to see our systems hacked and/or the leak of personal information”

Well Trevor, welcome to your worst fucking nightmare.

We are the Impact Team. We have hacked them completely, taking over their entire office and production domains and thousands of systems, and over the past few years have taken all customer information databases, complete source code repositories, financial records, documentation, and emails, as we prove here. And it was easy. For a company whose main promise is secrecy, it’s like you didn’t even try, like you thought you had never pissed anyone off.

Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.

So far, ALM has not complied.

First, we expose that ALM management is bullshit and has made millions of dollars from complete 100% fraud. Example:

-Ashley Madison advertises “Full Delete” to “remove all traces of your usage for only $19.00”

-It specifically promises “Removal of site usage history and personally identifiable information from the site”

-Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie.

-Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.

-Other very embarrassing personal information also remains, including sexual fantasies and more

-We have all such records and are releasing them as Ashley Madison remains online.

Avid Life Media will be liable for fraud and extreme personal and professional harm from millions of their users unless Ashley Madison and Established Men are permanently placed offline immediately.

Our one apology is to Mark Steele (Director of Security). You did everything you could, but nothing you could have done could have stopped this.

This is your last warning,

Impact Team

We are not opportunistic skids with DDoS or SQLi scanners or defacements. We are dedicated, focused, skilled, and we’re never going away. If you profit off the pain of others, whatever it takes, we will completely own you.

Contents of Database Dumps

The database dumps contain the following information for all of the Ashley Madison accounts:

  • Creation date
  • Nickname
  • First name
  • Last name
  • Street address
  • Latitude and longitude
  • Phone numbers (work, mobile, generic)
  • Gender
  • Date of birth
  • Ethnicity
  • Weight
  • Height
  • Email address
  • Plaintext security question answer
  • Hashed (bcrypted) password
  • All the kinks (what people are open to, what they are looking for, what turns them on, a caption about themselves)
  • Login username

Depending on which table dump you’re looking at, there will be between ~31.9 and ~36.3 million accounts.

Considerations on Leaked Data

To address some of the other points that are being debated around the contents of the leak, consider the following:

  • Just because an email address is in one of the user tables does NOT mean that the owner of the address signed up for an account with Ashley Madison. For instance, the email addresses president@whitehouse.gov, gwb@whitehouse.gov, and hildabeast@whitehouse.gov are all present in the database dumps. What would be a much more concrete indicator that someone signed up for the site would be cross-referencing the account IDs between the email addresses and the credit card transactions.
  • Outside of the passwords found in the QA database dump, you’re likely not going to get very many passwords from the contents of this leak. The hashes found within the Ashley Madison member_login table used bcrypt, which is pretty resilient to cracking. Additionally, the domain hashes appeared to be stronger than average. I ran a number of wordlists against the ALMCLUSTER hashes and only a few (less than 10) passwords fell out. If anyone sees different results please let me know at @_lavalamp.
  • If email address lists or username lists are your thing, then you’re going to love the contents of this leak. There are ~33.1 million unique email addresses, with roughly the same number of unique usernames.
  • It appears that new users for Ashley Madison had a default password assigned for them. The plaintext password “111111Iwillneverdoitagain” was found in 40,232 rows, whereas all of the other rows had either (1) a bcrypt password hash or (2) <paid_delete>.
  • The “paid delete” feature that Ashley Madison provides simply replaces the data in a handful of database columns in your records with <paid_delete>. Your records are otherwise not affected.

Analysis of Leaked Data

Having done a bit of academic research, I find statistic analysis to be intriguing (sadomasochistic, I know). I plotted some of the data found in the database dumps and came up with the following charts. Note that these charts show statistics for a data set containing a total of 36,397,894 unique accounts.

The vast majority of accounts were for email addresses registered at gmail.com, hotmail.com, and yahoo.com:

Ashley Madison accounts by email domain
Ashley Madison accounts by email domain

There are a total of 2,225 accounts registered with the .gov TLD. The most common .gov email domains are as follows:

Ashley Madison .gov domain emails
Ashley Madison .gov domain emails

Female and male account registrations by day of year tended to follow the same pattern, outside of a spike in female registrations around the end of January. Something bad apparently happens at the beginning of April – filing for taxes perhaps?

Ashley Madison accounts registered by day (male)
Ashley Madison accounts registered by day (male)
Ashley Madison accounts registered by day (female)
Ashley Madison accounts registered by day (female)
Ashley Madison accounts registered by day (male & female)
Ashley Madison accounts registered by day (male & female)

Female and male ages also tended to follow the same pattern. There’s something about being either 37 or 50 that really makes people want to have affairs (or make the really risky decision of signing up for a site that helps you have affairs):

Ashley Madison account ages (male)
Ashley Madison account ages (male)
Ashley Madison account ages (female)
Ashley Madison account ages (female)
Ashley Madison account ages (male & female)
Ashley Madison account ages (male & female)

The overwhelming majority of accounts on the Ashley Madison site were for men, and this is without taking into account the rumors that Ashley Madison flooded their site with fake accounts for women:

Ashley Madison accounts by sex
Ashley Madison accounts by sex

Lastly, a few choice words championed most of the users’ captions:

Ashley Madison caption word cloud
Ashley Madison caption word cloud

It all starts with hello!

Conclusion

Hopefully I addressed some of the questions you may have about what was actually leaked in the Ashley Madison breach. While the leak doesn’t contain a treasure trove of passwords, credit cards, and social security numbers, its contents are still incredibly damaging to those that it affects.

As an aside, Ashley Madison still claims that its members are anonymous:

Ashley Madison users are anonymous?
Ashley Madison users are anonymous?

I do not envy the folks responsible for cleaning this mess up.