Ashley Madison spam starts, as leak linked to first suicide
'Uber for private investigators' accused of harvesting search data
Part of the near-inevitable wash-up from the Ashley Madison hack has begun, with people reporting getting emails offering to save them from embarrassment, and a possible suicide in the USA.
The misery caused by the hack is already in evidence in this report of a San Antonio city employee named in the Ashley Madison database committing suicide (the report notes that at this stage authorities are noting the association but not positively attributing the suicide to the exposure).
Apparently, a company called Trustify that made the Ashley Madison data searchable from a website last week is sending out “you were on the database” emails.
The email says – as The Register feared would happen – that Trustify is capturing searches made against its data:
“You or someone you know recently used our search tool to see if your email address was compromised in the Ashley Madison leak, and we confirmed that your details were exposed”, the message states.
The message then goes on to offer to “hide the exposed details” – but only if the recipient of the message makes contact with Trustify.
Discussion of the “offer” took off on Reddit, with several commenters questioning anyone's ability to hide exposed data. One commenter, claiming to be from Trustify, said the company isn't doxxing anyone, and helpfully added that "I'm going to work with the team on expanding on the messaging".
Over the weekend, The Register asked the Electronic Frontiers Foundation, the Electronic Privacy Information Center, and Electronic Frontiers Australia (EFA) their opinions of the search facilities that are springing up all over the Web.
So far – because it was weekend in America – only EFA has had the chance to respond. In an e-mail response, executive officer Jon Lawrence was critical both of sites collecting search data and of news outlets promoting search sites.
“Whatever the moral issues associated with using the Ashley Madison service, and with their particular business model, the release of this data is clearly a massive invasion of privacy”, Lawrence wrote.
The idea that people brought this on themselves by signing onto Ashley Madison is “a rather callous and simplistic view that imposes an unwarranted moral element to the right to privacy that we reject,” he added.
Security researcher Troy Hunt seems to agree, for those that haven't followed his Twitter stream:
Someone just sent me an email showing an Ashley Madison search site is harvesting addresses then sending spam for their services. WTF?!— Troy Hunt (@troyhunt) August 23, 2015
@honeyboywilson8 I saw a site that gives everything to everyone. Massively irresponsible IMHO.— Troy Hunt (@troyhunt) August 23, 2015
Lawrence added that the EFA fears other abuses of the data will emerge. For example, he said, “we are also alarmed by reports that a real estate data provider is planning to include geographic data sourced from this privacy breach in their search results to provide some form of 'marital happiness rating'.”
For Australians, the EFA notes the picture is particularly bleak, since the worst exposures of data are offshore. Even within Australia, Lawrence said, “this incident highlights the lack of effective legal remedies for Australians that have suffered serious invasions of privacy”, and he called on the government to pursue the recommendations made by the Australian Law Reform Commission last year. ®
The Register stands by its warning not to trust sites offering unverified searches. If you're searching your own details, you're alerting outfits like Trustify to your concern, and if you check someone else's details, you're exposing them to harassment.
Anybody harvesting incoming search data is creating a brand-new data store, which itself is at risk of leaking with little more than a mistake in the SQL implementation.
Sponsored: Becoming a Pragmatic Security Leader