back to article Ashley Madison spam starts, as leak linked to first suicide

Part of the near-inevitable wash-up from the Ashley Madison hack has begun, with people reporting getting emails offering to save them from embarrassment, and a possible suicide in the USA. The misery caused by the hack is already in evidence in this report of a San Antonio city employee named in the Ashley Madison database …

  1. Mark 85 Silver badge

    Spam started...

    No surprise and it started trickling in on Friday. I have two friends who claim they never used it are getting spam on an email account used only for business purposes including one that's a "no-response" email used for letting customers know their order is being processed. He checks that address just in case some idiot does respond.

    These appear to be just run of the mill spam with the miscreants blindly shipping out the garbage.

    I'm suspecting some malware authors are picking up on this as one of the emails was an attachment claiming to show them in the database.

    The other person got one saying they could remove them from the "stolen database" by contacting them for "payment arrangements". The foolish who believe this might as well find the Nigerian Queen offering them money in return.

    And so another spam nightmare begins for IT....

    1. Anonymous Coward
      Anonymous Coward

      Re: Spam started...

      Yeah lucky for me I actually checked and found I had an ancient very short yahoo address that came up positive (using checker sites). Worried what was going on (have visited plenty of dodge porn sites over the years but have never given a credit card) I decided to risk it (sadly forced to torrent it and even over tor with encrypted everything this is a risky way to get it) and and downloaded the first data dump (second is a website code dump well worth avoiding). I then proceeded to try to import it into mysql but quickly realized innodb is garbage for this purpose and would take a week. I then googled and figured out to use MariaDB with the Aria engine instead and the whole import took only a few hours even on my older hardware. After some fairly simple SQL querying (being a computer nerd (unlike Joe Q Public using excel as a db) has its advantages) I quickly figured out the data associated with my old email had nothing to do with me. Ashley Madison may be total scumbags business wise but their database was very logically organized which surprised me based on what I have seen with these webcraptastic companies. They must have hired decent contractors to organize it and then nobody to protect it. Also my ninja fgrep skills helped me determine no hits on me on in the credit card csvs either (really csvs huh?, wasn't worried but wanted to verify a data theft didn't happen years ago that I didn't realize). I actually closed the yahoo email account (used as a throw away in the early days) as soon as I saw the positive hit. Still so much happier now than at beginning of weekend (of course after wiping drive of all data including even the OS) . Yes it is a crime to download the data but its out there and I was going to be damned if the bad guys (or half the internet) knew something I didn't as pertaining to me at least.

      1. Anonymous Coward
        Anonymous Coward

        Re: Spam started...

        And no I didn't use Trustify for the initial check (no https plus dodgy looking up front yeah no thanks). There are decent sites if you look but sadly you may be better off just downloading the 10 gig dump and checking yourself (just don't keep around, use the data in anyway or check on anyone but your own email addresses or name).

        1. P. Lee

          Re: Spam started...

          >here are decent sites if you look but sadly you may be better off just downloading the 10 gig dump and checking yourself

          Why would you bother? If you signed up, you should assume that you're in there. What are you going to do about it?

          As for "imposing a personal view of morality," well, I guess if you don't subscribe to that view, you won't be bothered by practical implications of it - the data going public. That would be a bit like calling yourself a Christian but being embarrassed to tell people you go to church.

          1. Grikath

            Re: Spam started... @ P. Lee

            You're forgetting the lovely Puritan double standards a lot of North Americans have to live by, if not for themselves, then for the bloody curtain-twitching Neighbours. Nothing is as unforgiving as mrs. Grundy's Opinion in Suburbia...

            1. Anonymous Coward
              Anonymous Coward

              Re: Spam started... @ P. Lee

              > Nothing is as unforgiving as mrs. Grundy's Opinion in Suburbia...

              Unlike in most of the rest of the developed world companies in the US can actually use crap like to fire people to get out of severance payments (even outside the right to work (ie right to fire unconditionally ) states).

            2. Anonymous Coward
              Anonymous Coward

              Re: Spam started... @ P. Lee

              >You're forgetting the lovely Puritan double standards a lot of North Americans have to live by

              And where did those asshole Puritans come from whose ghosts still pollute our politics today? Another gift for the colonies. Also Isn't it funny how many countries today hostile to the West where once British (and occasionally French) colonies? I badly digress.

              1. anonymous boring coward Silver badge

                Re: Spam started... @ P. Lee

                I take it from your comments that you are a native american of some kind?

          2. Annihilator Silver badge

            Re: Spam started... @PLee

            "Why would you bother? If you signed up, you should assume that you're in there. What are you going to do about it?"

            Well if you bothered to read the comment, this is the "if you *didn't* sign up, but someone else used your details" scenario that was being checked. Sign-up details weren't validated in any way by AM, so there's a lot of presumably fake data in there..

          3. Anonymous Coward
            Anonymous Coward

            Re: Spam started...

            >Why would you bother? If you signed up, you should assume that you're in there.

            Perhaps you remember every site you ever signed up for since 2001 but not everyone does. Everyone seems to assume AM was something that just showed up the last three years for cheating when it started life as a dodgy hookup site not pushing just the infidelity. I think based on what I saw in the data scheme they actually allowed signing up at one time without a credit card and regardless I believe the CC data only goes back to 2009 or something like that. Not to mention even if you do vaguely remember signing up you might not be sure how much real data you gave them including even which email address. Not surprisingly the longer ago you signed up and less you used the site the more incomplete the data looks on you. What sucks is knowing you have never cheated on a gf or wife and have not used a dating site in a decade but not remembering in your drunken stoned college days if you did and if you did how the info makes people presume you are guilty when you are not. Remember literally anybody can see this data as they can always pay a nerd to access it. Luckily as I said in my case it turned out someone just used a common email handle I had long ago and is not associated with me in hardly any way. I pity the fools with their name in their email address.

      2. Anonymous Coward
        Anonymous Coward

        Data Protection Act question

        " Yes it is a crime to download the data but its out there and I was going to be damned if the bad guys (or half the internet) knew something I didn't as pertaining to me at least"

        That suggests an interesting question concerning interpretation of the UK Data Protection Act. Holding and processing sensitive personal data without a legitimate purpose is an offence under this act. However, individuals have a right under this act to know what personal data is held concerning them (I guess by UK holders of this data). While I'm not a lawyer, I'd still guess you could argue that given your interest in the data is to find out what is held on you is exercising your explicit rights, this therefore isn't an offence, and it wasn't practical to obtain less than the entire database already in the public domain for this purpose without disclosing further personal data.

        This also suggests the DPA needs updating to cover the situation where collections of sensitive personal data are placed into the public domain - this scenario wasn't part of the conception of this law. It doesn't correspond with any principle of natural justice that an offshore journalist or blackmailer can know something about you when you are not allowed to know what they know.

      3. CommanderGalaxian

        Re: Spam started...

        "...forced to torrent it and even over tor with encrypted..." RTFM - https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

        1. Anonymous Coward
          Anonymous Coward

          Re: Spam started...

          >"...forced to torrent it and even over tor with encrypted..." RTFM - https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

          Yes as I said as much this is your big risk but I guess you just pray for obscurity in numbers (like close to 10,000 seeds and leeches). More than anything was just hoping to avoid some half ass filter my ISP might have to flag it. I don't regularly use bittorrent over tor as its a shitty thing to do usually anyway, just buy the movies you cheap bastards, but this a big exception). Downloading the data may be illegal but morally I feel ok downloading it only to check for any of my data (they lost out owning it when they couldn't secure it) and then not keeping it around.

  2. This post has been deleted by its author

    1. h4rm0ny

      Stealing a rival company's customer list and then spamming all of them with sales pitches is not, imho, "something positive".

      Anyway, whilst I'm posting I might as well add my own voice to the Trustify are scum crowd. Troy Hunt (in the article) set up a system whereby you could search for your details but it would only confirm by sending the results to the registered email address. THAT is responsible. Trustify are not.

      1. Pascal Monett Silver badge

        Re: "Stealing a rival company's customer list and then spamming all of them with sales pitches"

        These days, it's called a business opportunity.

    2. Just Enough

      "Something positive"

      How exactly would that email go?

      "That last website turned into an almighty cluster-shag of a nightmare for everyone. You're probably just feeling relieved that it hasn't gone rancid for you, yet. But do you fancy another go where we'll get it right this time, honest, feeling lucky?"

      1. Anonymous Coward
        Anonymous Coward

        Re: "Something positive"

        Elsewhere in 'something positive' news, perhaps this chap would be interested in people's views...

        https://www.linkedin.com/in/dboice - Harvard are raising some quality Peepes these days.

        Oh look, he has a twatter account... @dannyboice Where he expounds: 'For local startup Trustify, the Ashley Madison hack is good business'

        Anon, to avoid spam, natch

      2. Tom 38 Silver badge

        Re: "Something positive"

        "That last website turned into an almighty cluster-shag of a nightmare for everyone. You're probably just feeling relieved that it hasn't gone rancid for you, yet. But do you fancy another go where we'll get it right this time, honest, feeling lucky?"

        A lot of people (not just men) completely lose all sense of intelligence when there is even the off-chance of increasing global genetic diversity, so it might work.

      3. verbaloversupply

        Re: "Something positive"

        Well if it turned into a "cluster-shag", they really shouldn't be complaining or moving from AM.

  3. Andy Tunnah

    Let it pass

    I know it's horrible and I know it's going to cause loads of problems...but just ride it out. If you're on there and the pressure is coming externally, ignore it, ride it out, it'll pass.

    These sort of things (albeit not on this scale) happen all the time. Embarrassing situations you have to explain, and then gets forgotten about with the myriad of other random crap about a person.

    Sure some will suffer worse than others, but I doubt that's because of the external pressure. It's just scam artists trying to earn a buck.

    From what I've heard from people who are on there (I don't judge..although I looked up my brother in law, then I woulda judged..) and most people signed up but never went through with a hook up, they chickened out. Obviously I don't know if the small data pool I have is indicative of everyone, but the optimist in me likes to think so

    1. Anonymous Coward
      Anonymous Coward

      Re: Let it pass

      If I had to guess %95+ of the actually hookups were between gay men. Granted they can now cheat on male spouses in some places but I would be amazed if more than 1 or 2 out of every 100 users on there actually cheated with a woman on another woman. Seems more like the ultimate honey pot for black mailing dumb drunk horny b*stards.

      1. Robert Carnegie Silver badge

        Re: Let it pass

        The Religious Police, in countries where there are Religious Police (and computers), presumably are already rounding up and prosecuting homosexual men and women identified in the data.

        If we'd known it would happen (and I suppose we did really) then those of us who disapprove of that kind of policing apparently could have opened accounts in the names of each country's Head of Religious Police and their leading deputies. If we wanted to spend the money.

        1. Anonymous Coward
          Anonymous Coward

          @Robert Carnegie Re: Religious Police

          "could have opened accounts in the names of each country's Head of Religious Police and their leading deputies. If we wanted to spend the money."

          Whose credit card do you think would be used ? To poison the data of dodgy low-life dating sites, someone committing such a hypothetical offence would alternatively pretend fake accounts under such email addresses are female - as female accounts went onto AM for free so presumably no credit card needed. Such individuals seem to deserve to have their virtual genders reassigned anyway especially if this will arouse even greater derision. When such databases are doxed, those viewing these may arrive at either of 2 reasonable but misled conclusions - either that said HORP is engaged in entrapment, or is even more weird than would otherwise be thought.

    2. Anonymous Coward
      Anonymous Coward

      Re: Let it pass

      From what I've heard from people who are on there (I don't judge..although I looked up my brother in law, then I woulda judged..)

      Well, no. I purposely stay away from the results of hacks and privacy invasions such as making pictures of people in places where they ought to feel safe, leaked selfies and private films/photos, regardless from who it is, for one, simple reason: if I look at it, I become part of the problem. A website hosting this crap only looks at the hits and ad revenue they get, they don't care about the harm this causes. To me, that makes you a lowlife.

      Sorry if that appears overly simple, but I feel strongly that you shouldn't be hypocritical about this. If you would not like this to happen to yourself, you should not act differently if it happens to someone else..

  4. Griffo

    No Suprising

    Nobody should be that suprised.

    However in their defense - they appear to only be sending emails to the CONFIRMED present email address. Not any of the tested but not-found emails, or all of the emails on the list.

    So it should work as a wake-up to people that not only are they on the list, but somebody knows they are on the list.

    1. Anonymous Coward
      Anonymous Coward

      Re: No Suprising

      However in their defense

      There IS no defence for this.

    2. Anonymous Coward
      Anonymous Coward

      Re: No Suprising

      "However in their defense - they appear to only be sending emails to the CONFIRMED present email address. Not any of the tested but not-found emails, or all of the emails on the list."

      -thats like saying that, in their defence, they are only groming children after confirming that they are underage, leaving the rest alone (also see hitler, war, worse than godwin, etc).

  5. LDS Silver badge
    Devil

    I'm sure privacy concerns will be taken seriously this time...

    ... because the nature of the data, because of the people involved, and because data are available for free to anyone and not to a few ad giants only.

    As usual, lawmakers will really act only when their own butts are on fire... and when they have nothing to gain personally but a lot to lose.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm sure privacy concerns will be taken seriously this time...

      I'm sure privacy concerns will be taken seriously this time...

      ... because the nature of the data, because of the people involved, and because data are available for free to anyone and not to a few ad giants only.

      Not a chance. For starters, you can see already that most publications and comments about this focus much more on the slightly dodgy site of this site than the fact that yet again, information has leaked where it was blatantly obvious that it shouldn't. If this had been a child hospital all would be up in arms, but now the snigger brigade is drowning out the issue.

      Secondly, the media have trained people to have the attention span of an anaemic mosquito. If it wasn't for the lawsuits and not-so-nice side effects, most people would be back to talking about the Kardashians in two weeks max. By way of illustration, ask your random man in the street what the Leveson enquiry was about and you'll already get blank looks.

      Frankly, I don't know what *will* make a difference.

  6. Pascal Monett Silver badge

    Major shitstorm in the making

    So now we have "verification sites" that have basically sprung up overnight to "inform you" if you're on the database dump. Of course, all manner of offers may follow, with removal services in exchange for money as the goal.

    You'd be a fool to pay for that though, because nobody is going to change the initial dump, meaning you might pay to get removed only from a copy of the data. Fat lot of use that would be, but I'm sure some poor saps will fall for it.

    The fecal matter has hit the blade rotation device and it's going to get worse before it gets better.

  7. Anonymous Coward
    Anonymous Coward

    Awww

    I never make these lists!

    1. Anonymous Coward
      Anonymous Coward

      Re: Awww

      I never make these lists!

      Time to sharpen your identity theft skills then?

      1. Anonymous Coward
        Anonymous Coward

        Re: Awww

        Can I add myself on now, might get some street cred for my Match.com account and find a date after 4 years of no replies.

        I know, small penis and no money.....but here's hopeing

  8. Sykobee

    So the data was stolen, illegally. It was then published online.

    Isn't every entity putting it up online in a searchable manner actually an accessory to the crime?

    1. TeeCee Gold badge

      Yes, the data was stolen illegally. However, whether or not it's then illegal to publish it online is a case for argument.

      Does receiving/handling stolen goods apply to data?

      1. Anonymous Coward
        Anonymous Coward

        Stolen data (the thieve-ses)

        "Yes, the data was stolen illegally. However, whether or not it's then illegal to publish it online is a case for argument."

        It wouldn't surprise me if there was not some legal loophole. Especially in the UK because of rushed out ill-conceived legislation...

        The tap keeps dripping

      2. Grikath

        Here in Holland the laws regarding fencing apply to stolen data. YMMV for other parts of Europe, but this kind of case is generally regarded as "theft/burglary" of non-physical property afaik.

      3. stungebag

        "Yes, the data was stolen illegally. However, whether or not it's then illegal to publish it online is a case for argument.

        No case fior argument at all in many jurisdictions. In the UK (and, I imagine, the rest of the EU) it's an offence to merely possess personal data without registering it. To make that data available online would cause the authorities to take a very dim view.

    2. Dr Dan Holdsworth
      WTF?

      Engage brain here, folks

      A load of data was stolen from the Ashley Madison databases.

      A load of data that some criminals claim was stolen from these databases has now appeared online.

      If you look closely, there's a gap between the data being nicked, and the data turning up online. Remember, we're dealing with criminals here, so who is to say that the data has not been tampered with between being stolen and being released?

      Ashley Madison were also known for not doing very much, if any, checking on emails they were given. Thus I dare say root@127.0.0.1 will have been trying to cop a free shag according to the records; certainly email@example.com was.

      Just because an email address was in the data dump doesn't mean that the person whose email it purportedly was had ever joined that site, or been involved with it in any way, shape or form.

  9. lawndart

    Anyone else seeing the advert for a Software Engineer/Full Stack Engineer at ScrewFix alongside these comments?

    Made me grin, anyway.

    1. Teiwaz Silver badge
      Go

      Ads

      "Anyone else seeing the advert for a Software Engineer/Full Stack Engineer at ScrewFix alongside these comments?

      Made me grin, anyway."

      Nope, all I got was M&S Bank loans

      (any associations with getting a loan to pay for data removal are a long stretch)

  10. Anonymous John

    I wonder when/if the lads from Lagos jump on the bandwagon?

  11. anonymous boring coward Silver badge

    Well, I hope the hacker/thief feels proud of him/herself now.

    Perhaps there is some dirt that could be dug up about the theif him/herself? Such as the fact that he/she is a thief, perhaps?

    1. Anonymous Coward
      Anonymous Coward

      him/her etc...

      Can we just not settle on "shim" or "sher"?

      1. Anonymous Coward
        Anonymous Coward

        Re: him/her etc...

        Not on THIS website!

  12. Anonymous Coward
    Anonymous Coward

    open source db

    Nice that an open source database was used though.

    You'd have thought they would have picked one of the expensive ones, like sybase or oracle.

  13. Anonymous Coward
    Anonymous Coward

    Pop up advert

    On this page 'Find love online at - the shelter pet project' - is it just me or is that going too far?

  14. Gregsy A.

    Its worse than people imagined

    It appears that since the last release of the leaked data the hackers have been releasing information about the cheaters throughout the net.

    Pastebin is a treasure trove of leaked info:

    http://pastebin.com/hqgKaumE

    http://pastebin.com/9Y1hc9qE

    http://pastebin.com/8eZUbvW8

  15. jwilliams88

    Fake data?

    The statistics on the data tend to indicate allot of fake profiles given the numbers. http://www.cheateraddresschecker.com gives stats based on location data.

  16. Richard Altmann

    The Internet

    is kaputt. Another 30 Million learnt it the hard way. So what? The sooner someone might come up with a better idea of how to "communicate".

  17. This post has been deleted by its author

  18. Anonymous Coward
    Anonymous Coward

    If you want to know if your email address is in the database, then have a look at "Have I been pwned" website. It has a handy .com address. You cannot check other email addresses, because for the AM affair, you can only use your own verified email address to check.

  19. Speltier

    Krebs

    Points out some interesting details about the purloined data. And the Ashley site owners have been slinging FUD fast and furiously.

    It was pointed out that there are a pile of fake data dumps out there as all the creepies under the rocks try to claim cred. So, now there is plausible deniability: "my name was in that database because my name was stolen from <pick your store> and just rolled up to make a fake data dump". Then the Asley greedsters throw in the claim that they never saved any credit card numbers ("we used a third party for payment processing"), so any dump with CC numbers is fake. But is this latter true, or a way for Ashley to discredit the real data dump? Then someone (maybe Ashley itself?) takes a (maybe real) data dump, expunges CC numbers, adds in a few names like obama@whitehouse.gov, and fuzzes the data even more...

    On the whole what is interesting is the method of discrediting the data sloshing around. What the original thieves needed to do was get the data signed by a timestamp authority, so they really truly could claim to have the First Data Dump... all others are purveyed by charlatans.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021