Ashley Madison

I’ve always written very publicly about how Have I been pwned [https://haveibeenpwned.com/] (HIBP) was conceived, built and indeed how it performs. If ever there was a time to look back at that performance, it’s in the wake of the first few days after loading in the Ashley Madison breach. I want to share the “warts and all account” of what I observed over the three days of utter chaos that ensued. I first learned of the incident at about 6am local on Wednesday which was very shortly after the t...

To date, I’ve avoided commenting on the other Ashley Madison search services and have invested my efforts purely in keeping Have I been pwned? [https://haveibeenpwned.com/] (HIBP) ticking along. I’ve seen them come and indeed I’ve seen some of them go too. I’ve seen many that enable you to get confirmation about the presence of an email in Ashley Madison, others that return everything about the user. Publicly. To anyone. But something I saw today struck a very different chord with me, something...

I found myself in somewhat of a unique position last week: I’d made the Ashley Madison data searchable for verified subscribers of Have I been pwned? [https://haveibeenpwned.com/] (HIBP) and now – perhaps unsurprisingly in retrospect – I was being inundated with email. I mean hundreds of emails every day with people asking questions about the data. Not just asking questions, but often giving me their life stories as well. These stories shed a very interesting light on the incident, one that mos...

This was always going to be a huge incident given not just the scale of the number of accounts impacted by the Ashley Madison breach [https://krebsonsecurity.com/2015/08/was-the-ashley-madison-database-leaked/] (well over 30M), but the sensitivity of the data within it. However the interest has surprised even me – I loaded the breached data into Have I been pwned? [https://haveibeenpwned.com/] (HIBP) about 8 hours ago and I’m presently seeing about 30k visitors an hour to the site. I’ve had a c...

This morning I was reading a piece on the Ashley Madison hack [http://www.inquisitr.com/2281408/ashley-madison-hack-customer-service-impact-team-complaints-was-he-on-ashley-madison-site-down-as-users-turn-to-private-investigators/] which helped cement a few things in my mind. The first thing is that if this data ends up being made public (and it’s still an “if”) then it will rapidly be shared far and wide. Of course this happens with many major data breaches, but the emergence already of domain...

I always find data breaches like today’s Ashley Madison one [http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/] curious in terms of how people react. But this one is particularly curious because of the promise of “discreet” encounters: Of course when the modus operandi of the site is to facilitate extramarital affairs then “discreet” is somewhat of a virtue… if they actually were discreet about their customers’ identities! This all made me think back to the Adult...