This was always going to be a huge incident given not just the scale of the number of accounts impacted by the Ashley Madison breach (well over 30M), but the sensitivity of the data within it. However the interest has surprised even me – I loaded the breached data into Have I been pwned? (HIBP) about 8 hours ago and I’m presently seeing about 30k visitors an hour to the site. I’ve had a commensurate number of media and support queries such that I just can’t respond to them all individually so I’m putting together this Q&A instead. One very important point first: HIBP will not expose any Ashley Madison data to the public. I wrote about this last month in anticipation of the Ashley Madison data being leaked and I stand firm on that today. Even though there are now multiple sites making it easy for anyone to check any email address, as someone very aptly said yesterday “you don’t want to be that guy” – the one who could be the channel through which information is learned that has a serious adverse impact on peoples’ lives. Here’s the Q&A, I’ll continue to add to these as questions arise: Q. HIBP says I was pwned – is there any way to see which site this was on? It says it immediately under that notice, for example I was pwned in the Adobe breach so I see info about Adobe directly underneath the heading “Breaches you were pwned in”. Q. I signed up to Ashley Madison with an email account I’ve since closed – how do I check if I was in the breach? HIBP depends on you being able to verify your address by clicking on a unique link you’re sent via email. If you can no longer access the email account then you cannot verify that you own it and therefore you cannot check if you were in the Ashley Madison breach. This is for your privacy as well as for everyone else’s. An alternative would be to check one of the sites that’s making everyone’s address publicly searchable (I won’t provide links here for the obvious privacy reasons). Q. I subscribed to notifications via HIBP and saw I was in the Ashley Madison breach but can’t see it listed when I consequently search for my email address. This is intentional and it’s to ensure that you can only see Ashley Madison appear as a pwned site during the verification process. You cannot see it if you search HIBP again outside that context – this is to ensure that others also can’t see that you were in the breach. Q. Can you tell me what other data of mine Ashley Madison had and has since been leaked publicly? The only data HIBP holds are email addresses. Short of going back to the source data breach and filtering out your personal info ad hoc (which is not data I want to see on an individual basis), this is not feasible. If HIBP shows you were in the breach after you subscribe to notifications, work on the assumption that any information you gave Ashley Madison is now public. Q. Do you know if [other data attributes] were leaked? For example private chats, photos, etc? I’ll do a more detailed write up at a later date (as I’m sure many others are already doing), for now the only data attributes I can confirm are those I list in the “compromised data” section of the Ashley Madison entry on HIBP. Q. I was a member on Ashley Madison but I can’t find myself when I search HIBP Per the introduction to this Q&A, you will not find your email address against Ashley Madison if you search HIBP via the public interface. If you subscribe to notifications you’ll see whether you were in the breach or not after verifying your email address. A negative result means you were not in the “member email” table included in the data breach. Q. Can you please remove my email address so that nobody else can search for it? You can only see that you were in the Ashley Madison data breach after verifying that you own the account. Nobody else can simply come to HIBP, search for your email address and find you in the Ashley Madison breach. Do be conscious though that people can do this through other sites which allow anonymous searching. At this point, attempting to remove your data from the internet is futile and you should consider how best to minimise the impact on you personally assuming anyone can now discover you were an Ashley Madison member. Continue reading...
