Faking profiles, hacking competitors, DMCA abuse, and more: the Ashley Madison saga continues

The fallout still hasn't settled from the hacking and subsequent data dump of the “adultery dating” website Ashley Madison, yet every new revelation makes the story progressively more bizarre.

Ashley Madison (registered motto: “Life is short. Have an affair.®”) is owned by Avid Life Media, which owns other hookup sites including “Established Men” and “Cougar Life.”

Recent hacking

In July, a hacker or group of hackers self-identifying as The Impact Team said that it had broken into Ashley Madison and stolen all information available therein. At the time, the hackers threatened to release all of the stolen information unless the website was taken down. According to its own statements, The Impact Team's main complaint with Ashley Madison isn't that the website promotes or facilitates adultery, but that it allegedly lied to its clients.

Ashley Madison offered clients a “full delete” service, scrubbing a client's complete profile and activity history from the site for $19. But The Impact Team said Ashley Madison lied about the full delete: they'd collect the $19 without bothering to scrub the client's data.

Thirty days after the hack, The Impact Team made good on its threat and posted 9.7 gigabytes of stolen Ashley Madison data to the dark web. And a preliminary analysis of that first data dump suggested that The Impact Team was right: Ashley Madison did lie about its full delete service.

The Impact Team also claimed that Ashley Madison lied about the number of women on its site, by creating “thousands” of fake female profiles.

But when Gizmodo's Annalee Newitz analyzed the data, she concluded that the number of fakes was far greater than even The Impact Team had indicated; turns out “almost none of the women in the Ashley Madison database ever used the site.”
Fake profiles and hacking the competition

Of the 37 million profiles on the Ashley Madison site, 5.5 million allegedly belonged to women. From the perspective of a man seeking a hetero hookup, that statistic is dismal enough: more than six men for every woman. But how many of those accounts were real women – and more importantly, how many of those real women actually used those accounts for their advertised purposes?

The data released by The Impact Team included lots of business and administrative data of the sort intended to be seen only by Ashley Madison employees, not clients. This includes private-message records: how many messages did AM members send, receive, read, or respond to?

Newitz says “About two-thirds of the men, or 20.2 million of them, had checked the messages in their accounts at least once. But only 1,492 women had ever checked their messages. It was a serious anomaly.”

Newitz found a similarly huge differential when she checked the reply_mail_last_time field, which shows when a given AM member had last replied to a message from another member: “5.9 million men had done it, and only 9700 women had. … Overall, the picture is grim indeed. Out of 5.5 million female accounts, roughly zero percent had ever shown any kind of activity at all, after the day they were created.”

Though perhaps this isn't a surprise. A couple of days after The Impact Team's first Ashley Madison data dump, a former Ashley Madison employee claimed that her job had been to create hundreds of fake female profiles alluring enough to convince men to sign up for the site. Doriana Silva, a Brazilian woman who worked at Ashley Madison headquarters in Toronto, tried suing her employer after claiming that she developed a repetitive stress injury after having to create 1,000 fake profiles in less than a month. Silva actually filed her suit in 2012, and settled with Avid Life Media earlier this year.

The fake profiles arguably aren't even the most incriminating reveal from the data dumps. A release of internal Ashley Madison employee emails suggests that hacking victim Ashley Madison had itself hacked into a rival dating website back in 2012.

Security expert Brian Krebs noted on Monday that leaked emails between company CEO Noel Biderman and former Chief Technology Officer Raja Bhatia show that Bhatia had discovered a way to download and manipulate the entire user database of rival website Nerve.com.

Despite all of this, AshleyMadison.com not only remains online, but still tours itself as “the world's leading married dating service for discreet encounters” (bold-print italic from the original website, where it also appears in a hot-pink font). This promise of “discreet” encounters appears right next to a row of three colorful little icons bragging that Ashley Madison holds a “Trusted Security Award,” offers “100% Discreet Service” and is an “SSL Secure Site.”

For what it's worth, the site is still getting visitors – if not paid memberships. Digiday's Jordan Valinsky noted yesterday that an analysis of web traffic data shows that from Saturday, Aug. 22 to Sunday, Aug. 23, the number of desktop visitors to Ashley Madison increased by 2 million. There's also been a significant increase in the number of people who visited Ashley Madison from a pay-per-click ad on another website – in other words, an increased number of visitors whom Ashley Madison is paying for.

Damage control

Meanwhile, Ashley Madison has made various attempts at damage control, with limited success. On Monday, Avid Life Media offered a reward of $500,000 Canadian (about $377,730 in U.S. dollars) for information leading to the hackers' capture.That same day, police in Toronto said that two people “associated with” the leaked Ashley Madison data had committed suicide.

In a more misguided damage-control effort, the company has also attempted to force websites to take down the leaked data by claiming copyright infringement under the Digital Millennium Copyright Act even though, as the Electronic Frontier Foundation said, “Copyright isn’t designed for keeping secrets (in fact, it was generally meant to do the exact opposite by encouraging disclosure).” Ashley Madison has sent takedown notices to Reddit, Twitter, and other websites, activities which Techdirt's Mike Masnick summarized as “Ashley Madison continues to use dubious legal takedown threats to try to disappear the data it failed to protect.”

As of press time there are at least four attempted class action lawsuits filed against Ashley Madison, all by members of the oft-litigious Doe family: two male plaintiffs named John Doe, a female named Jane Doe, and five plaintiffs of indeterminate gender who filed as J. Doe. So far, the attempted lawsuits all claim negligence and breach of implied contract over the hacking and data dump, for failing to keep users' confidential data confidential. So far, nobody has yet tried suing Ashley Madison for fraud based on the many apparently fake female profiles.