A leaksear.ch indexed dataset tied to Ashley Madison contains 35,737,982 records, about 35.7 million, and leaksear.ch indexes the breach date as July 19, 2015 (leaksear.ch metadata). The records relate to the infidelity-focused dating site operated at the time by Avid Life Media and include profile, contact, credential and transaction-related data (leaksear.ch metadata).
What happened
KrebsOnSecurity reported on July 19, 2015 that a group calling itself Impact Team had posted caches of data from Avid Life Media, the Toronto-based operator of Ashley Madison, and threatened to release customer records unless Ashley Madison and Established Men were taken offline (krebsonsecurity.com). A later Krebs retrospective said the group posted Ashley Madison user data on August 18, 2015, one month after the initial public threat (krebsonsecurity.com).
A joint report from Canadian and Australian privacy regulators says ALM detected unusual database activity on July 12, saw an Impact Team notice on employee computers on July 13, and that the attackers published claimed ALM data on August 18 and 20, including approximately 36 million Ashley Madison user-account details (www.priv.gc.ca). The same report said investigators made no conclusion about the cause of the breach, while ALM believed the initial path involved compromised employee credentials and could not fully reconstruct the path because logs had been erased (www.priv.gc.ca).
The FTC later alleged that the operators deceived consumers and failed to protect 36 million users' account and profile information. The 2016 settlement required a comprehensive data-security program, third-party assessments and a $1.6 million payment to settle FTC and state actions (www.ftc.gov).
What data was exposed
The leaksear.ch index lists searchable fields for addresses, countries, dates of birth, email addresses, hashed passwords, IP addresses, names, phone numbers and usernames (leaksear.ch metadata). The indexed records also contain non-searchable context such as account and membership status, gender, profile attributes, security-question fields, location fields, phone subtypes and payment or transaction metadata, including amounts, authorization fields, confirmation numbers, transaction IDs, card brands and card endings (leaksear.ch metadata).
Have I Been Pwned classifies Ashley Madison as a sensitive breach and lists compromised data including dates of birth, email addresses, names, password data, payment histories, physical addresses, phone numbers, security questions and answers, sexual orientations, usernames and website activity (haveibeenpwned.com). Regulators reported that published data included profile data, account data such as email addresses and hashed passwords, and billing information for a subset of purchasers, including real names, billing addresses and the last four digits of credit card numbers (www.priv.gc.ca).
Why this matters
This leak combines ordinary identifiers with adult-dating context, which increases the risk of targeted phishing, harassment, extortion and reputational harm. Canadian and Australian regulators specifically noted extortion attempts in which recipients were threatened with disclosure to family members or employers unless they paid (www.priv.gc.ca). For security teams, exposed emails, usernames, IP addresses and password data can be used as pivots for phishing and account-takeover investigations; for individuals, the priority is replacing any reused passwords and watching for scams that reference Ashley Madison or old billing details. If you may have used Ashley Madison, or if you are checking exposure for your organization, use the exposure checker below to see whether your data appears in this leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, hashed password, ip address, name, phone, and username.
Sources
- Krebs on Security: Online Cheating Site AshleyMadison Hacked
- Krebs on Security: A Retrospective on the 2015 Ashley Madison Breach
- Office of the Privacy Commissioner of Canada: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner Acting Australian Information Commissioner
- Federal Trade Commission: Operators of AshleyMadison.com Settle FTC, State Charges Resulting From 2015 Data Breach that Exposed 36 Million Users' Profile Information
- Have I Been Pwned: Ashley Madison Data Breach