Early Notes on the Ashley Madison Hack

1. A data dump, which allegedly contains over 35 million email addresses, 33 million accounts with more detailed information (names and addresses), and every credit card transaction from the last seven years, is reported to have been posted online. It could be doctored or entirely fake, however: a hack was previously confirmed by the company, and early signs point to legitimacy. (Update: Brian Krebs was unsure, but now seems convinced; Ashley Madison’s official statement is ambiguous.)

2. It is not easily accessible to most internet users — it’s still in fairly raw form, in massive downloadable archives.

3. However, 4chan users, and undoubtedly others, are already combing through data and posting their discoveries. They started by searching for people with government email addresses, university email addresses, and addresses associated with major corporations. This is unfolding very quickly, already revealing the email addresses of students, teachers, public servants and municipal employees.

4. Anonymous internet posters have already discovered the email address of at least one public figure. In subsequent posts, they identify this person’s partner. This person has been confronted on Twitter; I would not be surprised if the partner is currently getting alarming emails from strangers. This happened almost instantly after the leak.

5. On 4chan, and on Twitter, users are posting plain, searchable chunks of the data. There appear to be ongoing attempts to make the data much more easily available. It seems very likely that there will be a way for curious, non-technically-inclined people to search for the names of friends, spouses, partners, or anyone else very soon.

6. We associate the cost of hacks mostly with identity theft and financial loss, from which most victims are pretty well insulated. Target assessed the cost of that hack at $148 million; outside financial institutions added another $200 million to that figure. You may know someone affected by that hack, but the resulting damages were likely mostly absorbed by their bank or credit card company. It was unsettling, yes, but it wasn’t widely ruinous.

7. This, on the other hand, is basically unprecedented? Most leaks of this size don’t implicate people in anything aside from patronizing major companies. This is new territory in terms of personal cost. The Ashley Madison hack is in some ways the first large scale real hack, in the popular, your-secrets-are-now-public sense of the word. It is plausible — likely? — that you will know someone in or affected by this dump.

8. Most of the responses and acknowledgements I’m reading now are either straight news stories or… jokes? I’m not sure anyone is really reckoning with how big this could be, yet. If the data becomes as public and available as seems likely right now, we’re talking about tens of millions of people who will be publicly confronted with choices they thought they made in private (or, in some cases, didn’t: Ashley Madison does not validate all email addresses). The result won’t just be getting caught, it will be getting caught in an incredibly visible way that could conceivably follow victims around the internet for years.

9. Such a scenario would present a number of new questions for many more internet users — questions the nature of which they’ve never really had to deal with. If the names and email addresses are available in a simple Google-like search, for example, will they search for their partners? Friends? Coworkers? Representatives? Family members? If so, why? If not, why not? Will you seek out the raw leak data after reading this post? Will news organizations, presented with user profiles associated with public figures, ask for comment? Treat each as news? Which ones? How? The last time people dealt with similar questions on a large scale was when troves of internal Sony documents, including emails, were leaked. Before that, it was when hundreds of private celebrity photos were stolen and released last year. That act was widely denounced, as were the millions of subsequent acts by the people who viewed the photos. But enough people looked at these photos to set traffic records for sites like Reddit. In any case, an incredible number of ethical questions are posed by this situation!

10. Anyway, I may be overestimating how far things will unfold, but this feels like a momentous event. Barring some sort of heroic cleanup effort on the part of the entire internet — which I guess, between Twitter moderation and aggressive lawyering, isn’t totally impossible — millions of lives may be about to change profoundly. It’s easy to kid about the fact that these people were using a site intended to help them cheat. But if understood in more abstract terms, this hack has the potential to alter anyone’s relationship with the devices and apps and services they use every day. Here were millions of people expecting the highest level of privacy that the commercial web could offer as they conducted business they likely wanted to keep between two people (even if a great number of the emails are junk, or attached to casual gawkers, the leak claims to contain nine million transaction records). This hack could be ruinous — personally, professionally, financially — for them and their families. But for everyone else, it could haunt every email, private message, text and transaction across an internet where privacy has been taken for granted. Ashley Madison, in the strange hacker economy of 2015, may have had an especially big target on its back. But it’s a powerful reminder of the impossibility of perfect privacy.

11. Welcome to the future, I guess!