Categories: Security

Ashley Madison Source Code Leaked As US Military Investigates .Mil Addresses

The hacker or hackers behind the breach of adultery-oriented dating site Ashley Madison have released a second cache of data twice the size of the first, as it emerged that thousands of US government workers in sensitive security-related positions may have accessed the site from government networks.

The latest leak is roughly 19 GB in size, or about twice the 9.7 GB of Wednesday’s cache, according to security researchers, who said it appears to be genuine.

“It does appear to be legitimate like the other dump,” said researchers at TrustedSec in a blog post late on Thursday.

The new release seems to have been prompted by statements from Ashley Madison’s Toronto-based parent company, Avid Life Media (ALM), which stopped short of confirming that the leaked data was authentic.

It includes the message: “Hey Noel, you can admit it’s real now,” in reference to ALM chief executive Noel Biderman, and contains a compressed file that, from its filename, appears to contain Biderman’s emails. However, researchers said this file cannot be opened, and may either be fake or corrupted.

Other files in the cache include the source code for all of ALM’s websites and mobile applications, as well as plain-text or poorly hashed credentials, which could leave ALM exposed to further attacks, researchers said.

“Having full source code to these websites means that other hacker groups now have the ability to find new flaws in Avid Life’s websites, and further compromise them,” TrustedSec wrote.

US military emails

Meanwhile, the US Department of Defence confirmed it is investigating the use of thousands of email addresses using the .mil top-level doman in accounts revealed in the leak of Ashley Madison user data earlier this week, as a review of the data indicated that many government employees may have accessed the site from their workplaces.

US defence secretary Ash Carter told a briefing on Thursday the military was aware that more than 15,000 .mil email addresses were linked to the exposed accounts.

“I’m aware of it, of course it’s an issue, because conduct is very important,” he said. Adultery can be a prosecutable offence in the US military.

Wednesday’s leak also reportedly included personal details of British civil servants and Ministry of Defence staff, although the veracity of these details hasn’t been confirmed.

Security experts have warned that much of the data released by the attackers calling themselves “Impact Team” is likely to be fake, due to lax controls implemented by the site, such as the non-enforcement of email verification, meaning a user could create an account with someone else’s email address. They have pointed out that Ashley Madison also offers standard dating services.

However, the site markets itself as a service for facilitating extramarital affairs, and many of the users whose data was released online have admitted that that was their purpose in accessing it, according to reports.

Government users

Separately, a review of the data leaked on Wednesday found that hundreds of government employees appear to have accessed the service from their workplaces, based on logs of Internet Protocol addresses dating back over the past five years.

The Associated Press said it reviewed the IP address logs and used credit card details that had been stored by ALM to identify hundreds of US government employees, many in sensitive positions in the White House, Congress and law enforcement agencies, and contacted some of those involved to confirm their identities.

Those involved include two assistant U.S. attorneys, an IT administrator in President’s office, several people in high-ranking Justice Department positions, and several Department of Homeland Security employees, AP said.

An unnamed Justice Department investigator contacted by AP acknowledged he had used the site for “things I shouldn’t have been doing” and said he would reveal his actions to his family and employer if needed to prevent blackmail.

The AP said it is the first to identify federal employees in the Ashley Madison data cache by analysing the leaked IP address logs.

ALM declined to comment apart from a previous statement calling the hack criminal.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

View Comments

  • About time action was taken against those 'Analysing' or even looking at the data - this is data from the proceeds of a serious crime.

    As for the situation where 'Adultery can be a prosecutable offence in the US military' its probably even more of a security threat to the military than the hounding of gay people from a blackmail security aspect.

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

1 day ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

1 day ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

1 day ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

2 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

2 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

2 days ago