The email address of Scottish Nationalist MP Michelle Thomson and the personal details of hundreds of other UK public figures are among the estimated 33 million credentials leaked yesterday by hackers who breached the Ashley Madison adultery website.
But the MP has insisted hers was an out-of-use email, randomly harvested by hackers and misused.
The 9.7 gigabytes of personal data dumped on the Dark Web by the so-called ‘Impact Team' of hacktivists, as reported by SC, includes the names, postal and email addresses, partial payment card details and in some cases sexual fantasies of people who registered on the site, which encourages extra-marital affairs.
The data has been confirmed as genuine by several cyber-security experts and people with Ashley Madison accounts - and the American FBI has now joined the hunt for the hackers.
The leaked data includes the personal details of around 1.2 million Britons. Among them, according to the Daily Telegraph, are 124 civil servants, 92 Ministry of Defence staff, around 50 police officers, 56 NHS workers, 65 local education and school staff, and 1,716 people at universities and further education colleges – 95 per cent of whom are reportedly male. There are also more than 14,000 US Government and military email addresses, reports say.
Avid Life Media, which runs Ashley Madison, said it is now working with the FBI and Canadian law enforcement agencies, as well as forensic and security experts, to track down the ‘criminals' involved. And UK cyber-security experts believe their actions could have serious consequences for millions of people's personal lives.
Respected UK security blogger Graham Cluley said this even includes the risk of suicides: “Some people might find the thought that their membership of the site - even if they never met anyone in real life, and never had an affair - too much to bear, and there could be genuine casualties as a result. And yes, I mean suicide.”
But Cluley also pointed out: “If your email address is in the Ashley Madison database it means nothing. The owner of that email address may never have even visited the Ashley Madison site - Ashley Madison never bothered to verify the email addresses given to it by users.”
In line with this, Edinburgh West MP Thomson said in a statement reacting to her email leak: "Along with potentially millions of others, an out-of-use email address seems to have been harvested by hackers.
"I am not aware of or in contact with either Avid Life or Ashley Madison and look forward to finding out more about what has actually happened. However, having a personal email address linked to an account doesn't mean that person is really a user of Ashley Madison.
"Users are able to sign up to the site without responding to an email verification, meaning anyone's email address could have been used to create an account."
People wishing to check whether their email is included can use Microsoft security expert Tory Hunt's ‘Have I Been Pwned' service. This only lets you check your own address as it emails you the result, to prevent snooping.
Meanwhile, security experts are divided on whether the leaked data poses a wider national security, as well as personal, risk.
Europol adviser and Surrey University Professor Alan Woodward downplayed the threat, telling SCMagazineUK.com: “Having your details found in Ashley Madison is an embarrassment rather than a security problem. It could damage personal reputations.”
Woodward also said that it is very easy for other people to find, and misuse, the email addresses of public figures, adding: “One good thing is Ashley Madison used bcrypt which makes it very difficult to recover its users' passwords. The main problem here is the embarrassment to individuals. My advice is, be aware that whatever you are doing online it could be hacked and revealed.”
But Stephen Coty, chief security evangelist at Alert Logic, said in a statement to journalists: “With such diversity of individuals whose information was compromised through the Ashley Madison hack, you have to wonder what the lasting impact of this breach can be.
“What are the implications to the companies these individuals work for? Will these individuals give in to blackmail to betray their employer, save their marriage or relationship? Can this data, plus the information from breaches like OPM, be used for to compromise our national security or trade secrets? These are all questions employers should be asking themselves.”
Coty added: “Should employers start locking down their internet and mail services to work-functions only? Should we now start empowering our security teams to do their jobs efficiently? This means investing in a threat research and intelligence function that will mine for lost and stolen data to understand and combat the risk that our employees introduce into our environments.”
Leaked data highlighted by Coty includes emails from the White House, ‘Army.mil', Starbucks, Shell, Wells Fargo and others.
As we reported yesterday, cyber-security firm Blue Coat also believes the leaks could lead to the resale of personal data to other cyber-attackers, financial or non-financial blackmail of Ashley Madison and its customers, and social engineering attacks on high-value targets who are members of Ashley Madison.
Likewise James Maude, senior security engineer at Avecto, said in statement: “At first glance, it may look like the Ashley Madison data leak will cause nothing more than embarrassment. But this type of sensitive personal information can be used by criminals to generate serious leverage against an individual, when combined with details released from other attacks.“
Wieland Alge, EMEA general manager at Barracuda Networks, agreed: “With a number of users signing up with work email addresses, phishing attacks could be launched against users via these accounts, meaning government and corporate networks are at risk.
“Having access to the data could allow the hackers to build a detailed profile of their target and create a very specific attack. The attack is likely to come from a 'trusted source' and this makes the chances of success considerably higher.“
Lamar Bailey, director of security research and development at Tripwire, said: “The data stolen has far-reaching social implications. This could play into hiring decisions too because many companies run background checks, Facebook, Twitter and Google searches for applicants. If an applicant shows up as an Ashley Madison user, does that show something about the applicant's trustworthiness and morals?”
But UK cyber-espionage expert David Lacey told SCMagazineUK.com: “There's a potential for blackmail here but one doesn't see it very often - modern espionage is all about hacking. The implications are more domestic. It's another illustration that you can't trust anything to be perfectly secure.”