Ashley Madison Leak: 33.3M Records Exposed Profiles, Passwords

leaksear.ch has indexed 33,254,335 records from the Ashley Madison leak, tied in the index to July 19, 2015, for Avid Life Media's infidelity-focused dating site (leaksear.ch metadata). The indexed dataset exposes account, profile, contact and credential data, including emails, usernames, names, addresses, phone numbers, dates of birth, IP addresses and hashed passwords (leaksear.ch metadata).

What happened

Public reporting identified the attackers as the self-identified Impact Team, which posted data samples and internal company material in July 2015 and demanded that Ashley Madison and Established Men be taken offline (krebsonsecurity.com).

Regulators later documented an earlier detection timeline: ALM staff observed unusual database behavior on July 12, 2015, an attacker notice appeared on July 13, public notices appeared on July 19, and large files containing Ashley Madison database records and corporate material were posted on August 18 and 20. The joint Canadian and Australian privacy investigation said it made no conclusion about the cause of the breach itself (www.oaic.gov.au).

Public scale estimates differ by source. Have I Been Pwned lists 30.8 million affected accounts and more than 30 million unique email addresses, the FTC described account and profile information for 36 million users, and leaksear.ch indexed 33,254,335 records from this dump (haveibeenpwned.com, www.ftc.gov, leaksear.ch metadata).

What data was exposed

According to leaksear.ch metadata, searchable fields include address, dateOfBirth, email, hashedPassword, ipAddress, name, phone and username (leaksear.ch metadata). Stored context fields include account type, ad source, city, ZIP or postal details, country and state IDs, gender, membership status, mobile and work phone, nickname, location coordinates, profile attributes, seeking preferences, sexual preference context and security question fields (leaksear.ch metadata).

Have I Been Pwned lists dates of birth, email addresses, ethnicities, genders, names, passwords, payment histories, phone numbers, physical addresses, security questions and answers, sexual orientations, usernames and website activity as compromised data classes (haveibeenpwned.com).

One important caveat for analysts and journalists: the OAIC and OPC report says ALM did not verify email addresses, and that a listed email address may have been submitted by someone else. Treat an email match as an exposure signal, not automatic proof that the mailbox owner created or used an Ashley Madison account (www.oaic.gov.au).

Why this matters

Sensitive profile context combined with direct contact data creates high risk for targeted phishing, extortion, doxxing and reputational harm. The Canadian and Australian privacy commissioners documented extortion attempts against affected individuals, and KrebsOnSecurity later described the post-leak fallout as public shaming and extortion of many users (www.oaic.gov.au, krebsonsecurity.com).

The presence of usernames and password data also gives defenders a reason to check for password reuse and enforce MFA, while individuals should rotate any reused passwords and watch for targeted scam messages. The FTC settlement shows the regulatory significance of retaining and exposing sensitive profile, account-security and billing data, including information tied to users who paid for Full Delete. To check whether you, your users or your organization are present in this Ashley Madison leak, use leaksear.ch's lookup options for the searchable fields listed above (www.ftc.gov).

Check your exposure

Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, date of birth, email, hashed password, ip address, name, phone, and username.

Ashley Madison Leak: 33.3M Records Exposed Profiles, Passwords

What happened

What data was exposed

Why this matters

Check your exposure

Sources