The release of personal information reportedly belonging to more than 36 million members of adultery-focused dating site AshleyMadison.com contains 15,000 email addresses with military or federal government domains, according to a separate online data dump.
The unverified totals, posted by Twitter user @t0x0 and cited by Wired magazine and other media outlets, include 6,788 addresses ending in "us.army.mil," another 1,665 ending in "navy.mil," 809 ending in "usmc.mil" and 206 in "mail.mil."
The presence of an individual's email account in the leaked files doesn't indicate its owner participated in services offered by the website, which uses the slogan: "Life is short. Have an affair." It may not even mean the owner signed up in the first place.
"People would put whatever email address on there, and Ashley Madison wouldn't check it," said Robert Graham, CEO of Errata Security, a cybersecurity consulting company he has run for the past 10 years. "People could lie, and they often did lie."
Graham couldn't confirm the dot-mil and dot-gov totals, but said the figures roughly correspond to what he had seen in his analysis of the leaked data. He also put the total accounts at above 36 million, slightly below the site's claimed 40 million members.
While a functioning email address was not required to register at AshleyMadison.com, users interested in connecting with other users generally were required to pay for the privilege. The credit-card payments and billing addresses, also part of the nearly 10-gigabyte dump, are more reliable personal identifiers, Graham said.
"Most of the people that paid money used their real name," said Graham. "That is a hard data point."
This would link the individuals to their profile sheets, which include the basics sought by most dating websites like age, height, and weight, Graham said, but also offered "very lurid fantasies," in some cases.
Even users who may think they remained anonymous throughout the process could be tripped up by GPS-locator details included in the hack, Graham said — if a user created an account using their cellphone while in their house, for instance, the account could be traced to their GPS coordinates.
Breach basics
The Twitter-posted data set, which does not reveal full email addresses, says 55 users registered with "usarmy.mil," four signed up with the nonexistent "yahoo.gov" and two used "u.s.army.mil," among other nonfunctioning domains and likely typos.
Other, more specialized military domains — aircraft carriers, Reserve and National Guard branches, unit-specific email addresses, and so on — also are represented on the list in smaller numbers, reportedly culled from the main data set. That data was released late Tuesday by the a group calling itself the Impact Team, which claimed last month to have hacked the site and pledged to publish the data unless Avid Life Media, creator of AshleyMadison.com and sister sites like CougarLife.com, shuttered its websites.
"We have explained the fraud, deceit, and stupidity of ALM and their members," the hackers said in a statement accompanying the release. "Now everyone gets to see their data."
In response, Toronto-based ALM called the hack "an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities," and said U.S. and Canadian authorities are on the case.
A variety of blogs, social-media posts and media reports offer links purportedly directing readers to websites that claim to offer a search function for those interested in AshleyMadison.com clients. While Graham said the technical background to put such a site together could be found in "a teenage kid with a little bit of web programming knowledge," it did present an opportunity for more potential problems.
"If one of those sites asks for your husband's [AshleyMadison.com] password, it's probably a scam site," he said, adding that the "standard browse-the-Internet" security rules should apply to such offers.
While it's possible some users offered a fake military email account as part of a false identity, it wouldn't have helped — the AshleyMadison.com sign-up page instructs users that the email address "will never be shown or shared."
Kevin Lilley is the features editor of Military Times.
