It's been nearly a month since Ashley Madison's data exploded across the Web exposing the identities of millions of its users, but the effects of the hack continue to be felt in new ways. There are still a lot of questions left unanswered — who are the hackers, what really motivated them to hack the infidelity dating site, what kind of financial health was Ashley Madison in and how many of its users were real?
Here's a recap of what we've learned over the past few days about Ashley Madison and the hack, as the repercussions of the hack sink in for the site's users and as researchers and journalists continue to dig through the piles of data leaked:
The hack continues to take a toll on Ashley Madison users' lives
New Orleans pastor and seminary professor John Gibson took his life in the aftermath of the leak. His wife told media outlets that Gibson had long struggled with sex addiction, though she didn't know he was on Ashley Madison until reading his suicide note. “The shame is in the secrecy and the hiddenness and the lie of this,” his wife told The Washington Post. “Ashley Madison doesn’t advertise, ‘Hey come have an affair and let’s make it public.’ The whole idea, the allure of a site like this, is the anonymity and the darkness and the hiddenness of it."
There are a whole lot of ladybots on Ashley Madison
Ashley Madison developers created the site's first artificial female user in 2002 and went on to create an entire army of fembot daters, according to Gizmodo's Annalee Newitz. Newitz dug through leaked documents to reveal the lengths to which Ashley Madison went to avoid revealing its use of bots to beckon men into paying money to see "come hither" messages being sent by machines. Wen users and California's attorney general inquired about the bots, Ashley Madison claimed they were the creations of random fraudsters. Eventually Ashley Madison decided to disclose the existence of fembots in its terms of service, admitting that fictitious Ashley Angels existed for “entertainment” and “market research.” (Its terms of service did not disclose that its users might be paying money to talk to a bot.) The current terms of service were changed this year to gloss over the bot bit, saying only that some interactions on the site may be "exaggerated or fantasy."
Ashley Madison's password security wasn't really all that secure
When data from Ashley Madison first leaked online, the company was given a pat on the back for having the foresight to store information like passwords using a cryptographic security algorithm called bcrypt that makes it incredibly hard to crack stolen passwords. But hobbyist hackers have been able to crack more than 12 million Ashley Madison passwords in a matter of weeks due to errors in the programming. Stored in the same database as the bcrypted passwords was an algorithm that made them easier to crack. As Ars Technica put it, it was "the equivalent of stashing the key in a padlock-secured box in plain sight of that vault." The weeks since the leak have revealed that Ashley Madison was sloppy about security elsewhere, too, like in a file that stored passwords in plaintext that could easily be matched with corresponding usernames and e-mail addresses. Yikes.
Everyone is suing everyone
Plenty of Ashley Madison users are suing the company for the botched security practices that wound up exposing their data, but some users are also suing websites and hosting companies that made the data readily available online. That suit, filed last week, alleges that Amazon Web Services, GoDaddy and sites like ashleymadisonpowersearch.com were complicit in the theft of the data by making it easily available online. Their aim is to make stolen hacked data legally toxic.
Ashley Madison's former CTO Raja Bhatia is also threatening a libel lawsuit against security journalist Brian Krebs, who broke the story of the hack and authored a story based on leaked emails that Bhatia hacked into a rival firm in 2012.
There's a new theory on how the leak spread. And it's really, really weird.
Tech reporter Gina Smith did some digging into how the Ashley Madison story spread online and decided not everything appeared as it should. The first big story on the hack, she said, was a story with suspect detail that appeared on U.K. tabloid The Daily Mail's website. The story, Smith charges, was not journalism but suspicious paid content that materialized mere hours after Krebs' piece (even though it hadn't broken out of security circles) and was then quickly copied by news outlets everywhere. Who would pay for such a story, or why, Smith doesn't know. But the timestamp on the Daily Mail story Smith links to actually shows it appeared online well after many other media outlets had picked up Krebs' story and doesn't carry the usual branding for paid-content that advertorials for the outlet do. A spokesperson for the paper refuted the claims made in Smith's story. “This was not paid-for content and the entire premise of the story is false," he said. "Native advertising on MailOnline is clearly marked as such, and we reject in the strongest terms the claim that the article which the piece focuses on, which appeared well after the news of the Ashley Madison hack emerged, was fabricated. We have written to the website formally to request that the incorrect allegations are removed without delay."
This story was updated to include comments from The Daily Mail.