After hacking Ashley Madison last month, attackers named the Impact Team, demanded the website's owners, Avid Life Media, take down it and its partner website Established Men.
Avid Life Media refused.
On Tuesday, the Impact Team announced on Reddit they were releasing 9.7GB of Ashley Madison user data – which appears legitimate. Names, addresses, email accounts and credit card transaction details of 32 million Ashley Madison users dating back to 2007 have been published. Whole credit card details were not released, only the last four digits. The data also included the type of experiences users were after.
Avid Life Media's password encryption method was also revealed in the release. Passwords were secured using the bcrypt algorithm for PHP.
Robert Graham, CEO of security firm Erratasec, said despite the encryption, it was still likely only a matter of time before hackers would crack the passwords. Graham did praise Avid Media Life for at least encrypting user passwords when many other hacked websites clearly did not.
"We’re so used to seeing cleartext and MD5 hashes ... It’s refreshing to see bcrypt actually being used.”
Avid Life Media condemned the attack as a crime and not hacktivism in a statement.