Ashley Madison Source Code Leaked As US Military Investigates .Mil Addresses
A second data cache twice the size of the first includes the source code for all of ALM’s websites and a file purporting to contain the company CEO’s emails
The hacker or hackers behind the breach of adultery-oriented dating site Ashley Madison have released a second cache of data twice the size of the first, as it emerged that thousands of US government workers in sensitive security-related positions may have accessed the site from government networks.
The latest leak is roughly 19 GB in size, or about twice the 9.7 GB of Wednesday’s cache, according to security researchers, who said it appears to be genuine.
“It does appear to be legitimate like the other dump,” said researchers at TrustedSec in a blog post late on Thursday.
The new release seems to have been prompted by statements from Ashley Madison’s Toronto-based parent company, Avid Life Media (ALM), which stopped short of confirming that the leaked data was authentic.
It includes the message: “Hey Noel, you can admit it’s real now,” in reference to ALM chief executive Noel Biderman, and contains a compressed file that, from its filename, appears to contain Biderman’s emails. However, researchers said this file cannot be opened, and may either be fake or corrupted.
Other files in the cache include the source code for all of ALM’s websites and mobile applications, as well as plain-text or poorly hashed credentials, which could leave ALM exposed to further attacks, researchers said.
“Having full source code to these websites means that other hacker groups now have the ability to find new flaws in Avid Life’s websites, and further compromise them,” TrustedSec wrote.
US military emails
Meanwhile, the US Department of Defence confirmed it is investigating the use of thousands of email addresses using the .mil top-level doman in accounts revealed in the leak of Ashley Madison user data earlier this week, as a review of the data indicated that many government employees may have accessed the site from their workplaces.
US defence secretary Ash Carter told a briefing on Thursday the military was aware that more than 15,000 .mil email addresses were linked to the exposed accounts.
“I’m aware of it, of course it’s an issue, because conduct is very important,” he said. Adultery can be a prosecutable offence in the US military.
Wednesday’s leak also reportedly included personal details of British civil servants and Ministry of Defence staff, although the veracity of these details hasn’t been confirmed.
Security experts have warned that much of the data released by the attackers calling themselves “Impact Team” is likely to be fake, due to lax controls implemented by the site, such as the non-enforcement of email verification, meaning a user could create an account with someone else’s email address. They have pointed out that Ashley Madison also offers standard dating services.
However, the site markets itself as a service for facilitating extramarital affairs, and many of the users whose data was released online have admitted that that was their purpose in accessing it, according to reports.
Government users
Separately, a review of the data leaked on Wednesday found that hundreds of government employees appear to have accessed the service from their workplaces, based on logs of Internet Protocol addresses dating back over the past five years.
The Associated Press said it reviewed the IP address logs and used credit card details that had been stored by ALM to identify hundreds of US government employees, many in sensitive positions in the White House, Congress and law enforcement agencies, and contacted some of those involved to confirm their identities.
Those involved include two assistant U.S. attorneys, an IT administrator in President’s office, several people in high-ranking Justice Department positions, and several Department of Homeland Security employees, AP said.
An unnamed Justice Department investigator contacted by AP acknowledged he had used the site for “things I shouldn’t have been doing” and said he would reveal his actions to his family and employer if needed to prevent blackmail.
The AP said it is the first to identify federal employees in the Ashley Madison data cache by analysing the leaked IP address logs.
ALM declined to comment apart from a previous statement calling the hack criminal.
Are you a security pro? Try our quiz!