Sponsored by:

Ashley Madison

A 6-post collection

How did “Have I been pwned?” perform on Azure? An Ashley Madison retrospective

I’ve always written very publicly about how Have I been pwned (HIBP) was conceived, built and indeed how it performs. If ever there was a time to look back at that performance, it’s in the wake of the first few days after loading in the Ashley Madison breach. I want to share the “warts and all account” of what I observed over the three days of utter chaos that ensued. I first learned of the incident at about 6am local on Wednesday which was very shortly after the torrent first hit the air (remember, I’m in Australia which is in the future for most of you). During the day, I pulled down...

Here’s what Ashley Madison members have told me

I found myself in somewhat of a unique position last week: I’d made the Ashley Madison data searchable for verified subscribers of Have I been pwned? (HIBP) and now – perhaps unsurprisingly in retrospect – I was being inundated with email. I mean hundreds of emails every day with people asking questions about the data. Not just asking questions, but often giving me their life stories as well. These stories shed a very interesting light on the incident, one that most people are not privy to and one that doesn’t come across in the sensationalist news stories which have flooded every media outlet in recent days. When sent to me as an unknown third party in...

Ashley Madison search sites like Trustify are harvesting email addresses and spamming searched victims

To date, I’ve avoided commenting on the other Ashley Madison search services and have invested my efforts purely in keeping Have I been pwned? (HIBP) ticking along. I’ve seen them come and indeed I’ve seen some of them go too. I’ve seen many that enable you to get confirmation about the presence of an email in Ashley Madison, others that return everything about the user. Publicly. To anyone. But something I saw today struck a very different chord with me, something that I found to be truly outlandish. Let’s try an exercise; have a careful look at this page and read through all the information on it: Can you see...

Ashley Madison data breach Q&A

This was always going to be a huge incident given not just the scale of the number of accounts impacted by the Ashley Madison breach (well over 30M), but the sensitivity of the data within it. However the interest has surprised even me – I loaded the breached data into Have I been pwned? (HIBP) about 8 hours ago and I’m presently seeing about 30k visitors an hour to the site. I’ve had a commensurate number of media and support queries such that I just can’t respond to them all individually so I’m putting together this Q&A instead. One very important point first: HIBP will not expose any Ashley Madison...

Here’s how I’m going to handle the Ashley Madison data

This morning I was reading a piece on the Ashley Madison hack which helped cement a few things in my mind. The first thing is that if this data ends up being made public (and it’s still an “if”) then it will rapidly be shared far and wide. Of course this happens with many major data breaches, but the emergence already of domains like WasHeOnAshleyMadison.com signal a clear intent to make it easily accessible as well. The second thing was the assumption that leaked data could be removed. Of course it can be in some jurisdictions, but this would be no more than sticking the proverbial finger in the dyke. If released with the intent...

Your affairs were never discreet – Ashley Madison always disclosed customer identities

I always find data breaches like today’s Ashley Madison one curious in terms of how people react. But this one is particularly curious because of the promise of “discreet” encounters: Of course when the modus operandi of the site is to facilitate extramarital affairs then “discreet” is somewhat of a virtue… if they actually were discreet about their customers’ identities! This all made me think back to the Adult Friend Finder breach of a couple of months ago. Once that one hit the public air, I proceeded to load the data into Have I been pwned? as I usually do after a data breach has gone public and then… I got...