> breach.update —— target: Ruby Corp (formerly Avid Life Media) —— months_elapsed: 9 —— settlement: $11.2M —— extortion_campaigns: ONGOING<span class="cursor-blink">_</span>_
Six months ago, we published our initial deep-dive analysis of the Ashley Madison breach — the data breach that destroyed marriages, ended careers, fuelled mass extortion campaigns, and contributed to the deaths of individuals whose most intimate secrets were exposed to the world. In that article, we examined the timeline, the technical failures, the devastating human consequences, and the ways in which penetration testing and Cyber Essentials Plus certification could have substantially reduced the likelihood and severity of the breach.
Nine months since the major data dumps of August 2015, the Ashley Madison breach continues to reverberate through the lives of its victims, through the courts, through regulatory investigations, and through the broader data protection landscape. The CEO has resigned. The company has rebranded. Class-action lawsuits have advanced. Regulatory bodies in multiple countries have published damning findings. Password researchers have cracked millions of supposedly secure credentials. And the extortion campaigns continue, with no sign of abating.
In this update, we examine the key developments since our initial article, reassess our risk reduction estimates, and offer updated guidance — with particular focus on the breach's profound and lasting influence on data protection regulation and industry practices.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallNoel Biderman resigned as CEO of Avid Life Media on the 28th of August 2015, just ten days after the first major data dump. The leaked corporate emails from Biderman's own accounts had revealed that the CEO — who had built his public persona around the normalisation of infidelity — had himself been having affairs. The irony was not lost on observers, but the human cost extended far beyond one executive's hypocrisy.
In April 2016, Avid Life Media appointed a new CEO, Rob Segal, and President, James Millership. The company subsequently rebranded as Ruby Corp in July 2016 — a transparent attempt to distance itself from the Ashley Madison name. The rebranding was accompanied by public commitments to enhanced security, including the implementation of two-factor authentication, PCI-DSS compliance, and fully encrypted browsing.
The company's response to the breach has been widely criticised as too slow, too defensive, and too focused on corporate survival rather than user welfare. Ashley Madison did not initially provide direct notifications to affected individuals, leaving millions of users to discover their exposure through media reports, third-party lookup tools, and — in many cases — extortion emails. This communication failure compounded the harm and further eroded trust.
The legal and regulatory aftermath of the Ashley Madison breach has been extensive and is still unfolding.
| Action | Detail | Outcome |
|---|---|---|
| Canadian Class-Action Lawsuit | A $578 million lawsuit was filed on behalf of Canadian users through Charney Lawyers and Sutts, Strosberg LLP. The suit alleged that Avid Life Media failed to protect user data and deceptively retained data that users had paid to delete. | The lawsuit was eventually settled in July 2017 for $11.2 million — a fraction of the original claim, but a significant sum for a company whose security practices had been so comprehensively discredited. Users with valid claims could receive up to $3,500 each. |
| US Federal Trade Commission (FTC) | The FTC investigated Avid Life Media for deceptive practices — specifically the false promise that paid data deletion would fully remove user information, and the use of chatbots posing as real women to engage male users. | The FTC reached a settlement requiring Avid Life Media to pay $1.6 million and to implement a comprehensive information security programme subject to independent auditing for 20 years. The FTC found that the company had 'deceived consumers and failed to protect their data.' |
| Joint Canadian-Australian Investigation | The Office of the Privacy Commissioner of Canada (OPC) and the Australian Information Commissioner (OAIC) conducted a joint investigation into the breach. Their findings were damning. | The investigation concluded that Avid Life Media had inadequate security measures, including insufficient monitoring, inadequate access controls, and a failure to have a comprehensive information security framework. The company was required to implement a range of privacy and security improvements. |
| Additional US Lawsuits | Beyond the class-action, multiple individual lawsuits were filed in the United States, including suits from individuals who suffered specific harm — job loss, divorce, public humiliation — as a direct consequence of their data being exposed. | These cases have proceeded through the courts at varying paces, with some resulting in individual settlements and others being consolidated into the broader class-action proceedings. |
The joint Canadian-Australian investigation found that Avid Life Media's security framework was inadequate for the sensitivity of the data it held. The investigators specifically noted: insufficient logging and monitoring; inadequate employee credential management; lack of a comprehensive security programme; failure to assess risks to user data; and — most damningly — the retention of data that users had paid to have deleted. The investigation recommended that the company adopt a comprehensive privacy and security framework, and the regulators indicated they would follow up to verify compliance.
In our initial article, we noted that the Ashley Madison source code had revealed a dangerous dual-hashing implementation — passwords were protected by bcrypt but also, through a legacy coding error, by the far weaker MD5 algorithm. In September 2015, the password-cracking team CynoSure Prime demonstrated exactly how devastating this error was.
The team identified that the site's $loginkey variable — included in the leaked data — had been generated using MD5 hashes of users' plaintext passwords for accounts created before June 2012. By cracking these trivially weak MD5 hashes, the researchers could recover plaintext passwords and then use them to verify against the stronger bcrypt hashes. Within days, they had cracked 11.2 million passwords. Up to 15 million of the 36 million accounts were vulnerable through this weakness.
Security researcher Troy Hunt observed that users who had chosen strong passwords — passwords that would have been effectively uncrackable under bcrypt alone — were now exposed because of the legacy MD5 implementation. As Hunt noted, the users who had done the right thing were let down by the company that was supposed to protect them. The Ars Technica article on the cracking aptly summarised the lesson: a single misstep can undermine an otherwise flawless execution.
For the 11 million users whose passwords were cracked, the implications extended beyond Ashley Madison. Anyone who had reused their Ashley Madison password on other services — email, banking, social media — was now at risk of credential stuffing attacks. The breach's blast radius expanded from one compromised website to potentially every online account associated with those individuals.
Perhaps the most disturbing ongoing consequence of the Ashley Madison breach is the industrialisation of extortion against its victims. Within days of the data dump, opportunistic criminals began targeting individuals whose details appeared in the leak, demanding Bitcoin payments in exchange for not exposing them to their families, employers, or communities.
These extortion campaigns did not stop. In 2017, a new wave of personalised blackmail emails targeted breach victims, using detailed information from the leak to add credibility to their threats. By 2020 — five years after the breach — researchers at Vade Secure identified yet another sophisticated sextortion campaign, with emails that referenced victims' specific Ashley Madison usernames, registration dates, and stated sexual preferences.
The Ashley Madison extortion economy demonstrates a principle that every organisation and every individual must understand: breached personal data has no expiry date. Once it is exposed, it remains available to criminals indefinitely. It can be repackaged, combined with other data, and used in new attack campaigns for years or decades after the original breach. There is no statute of limitations on stolen data.
Every organisation that suffers a data breach must recognise that the harm does not end when the incident is contained. Victims of the Ashley Madison breach are still being targeted by extortionists in 2016 — and there is every reason to believe they will continue to be targeted for years to come. Incident response plans must account for this long tail of harm, including ongoing victim support, monitoring for secondary attacks, and coordination with law enforcement.
| Measure | Initial Estimate (Oct 2015) | Revised Estimate (Apr 2016) | Rationale |
|---|---|---|---|
| Penetration Testing | 65–75% | 70–80% | Regulatory investigations confirmed the full extent of security failures, including the absence of a comprehensive security framework. The CynoSure Prime password cracking confirmed the severity of the MD5 vulnerability. A comprehensive testing engagement would have identified these issues with near-certainty. |
| Cyber Essentials Plus | 45–55% | 50–60% | The joint Canadian-Australian investigation specifically cited inadequate access controls, insufficient monitoring, and poor configuration management — all squarely within the CE+ control framework. Independent verification would have identified the gap between stated security and reality. |
| Combined Effect | 75–85% | 80–90% | The confirmed breadth and depth of the security failures, combined with their alignment to well-understood control frameworks, gives high confidence that the combined measures would have identified and driven remediation of the vast majority of exploitable weaknesses. |
We note that our revised combined estimate of 80–90% is the highest we have assigned to any breach in this series. This reflects the fact that the Ashley Madison breach was enabled by relatively basic, well-understood security failures — hardcoded credentials, legacy hashing implementations, inadequate access controls, missing network segmentation — rather than by sophisticated, novel attack techniques. These are precisely the categories of vulnerability that penetration testing and baseline security certification are designed to identify and remediate.
The Ashley Madison breach occurred during the final stages of negotiation of the European Union's General Data Protection Regulation, which would come into force in May 2018. Whilst the GDPR was already well advanced before the breach, the Ashley Madison incident provided powerful, visceral examples of the principles the regulation was designed to protect.
The Ashley Madison breach carries specific and urgent lessons for sectors that handle data of comparable sensitivity. Whilst every organisation handling personal data should take note, certain industries face risks that are structurally analogous to those that made the Ashley Madison breach so devastating.
The Ashley Madison breach exposed not merely a security failure but a trust failure of the most fundamental kind. The company had promised its users discretion, privacy, and — for those who paid — permanent deletion. It delivered none of these things. The breach revealed a company that was deceptive in its business practices, negligent in its security, and indifferent to the welfare of the people whose most intimate data it held.
Rebuilding trust after a breach of this nature is, if not impossible, extraordinarily difficult. Ruby Corp (as Avid Life Media rebranded) has invested in enhanced security measures, including two-factor authentication, PCI-DSS compliance, and encrypted browsing. But the fundamental question facing any organisation in this position is: why should anyone believe you now? If you lied about deletion, if you neglected security, if you profited from deception — what has changed that should persuade anyone to trust you with their most sensitive data again?
The answer, for any organisation in this position, must be demonstrated through actions rather than words. Independent security audits, published transparently. Penetration testing results shared with regulators. Genuine data minimisation practices. Verified deletion processes. And a cultural commitment to security and privacy that starts at board level and permeates every function of the organisation. Anything less is merely reputation management.
For organisations that have not yet suffered a breach, the lesson is even more stark: trust is easier to maintain than to rebuild. Invest in security, privacy, and honest data practices now — because the cost of losing your users' trust is measured not in pounds and pence, but in destroyed lives and shattered confidence that may never be restored.
| Recommendation | Detail |
|---|---|
| Audit Your Data Deletion Practices | Verify that your deletion processes actually delete data — from all systems, databases, backups, logs, and archives. Test this through penetration testing. If you charge for deletion, ensure the service delivers what it promises. Under the GDPR, you will be legally required to comply with erasure requests. |
| Conduct Legacy Code Audits | The Ashley Madison MD5 vulnerability was a legacy implementation from before June 2012 that was never remediated. Conduct thorough audits of legacy code, particularly around cryptographic implementations, authentication mechanisms, and data handling. Legacy technical debt is a security debt. |
| Implement Email Verification | Any service that stores personal data must verify email addresses at registration. Allowing unverified registration creates innocent victims in the event of a breach and inflates user metrics — a form of self-deception that compounds every other failure. |
| Plan for the Long Tail of Harm | Recognise that breach victims may be targeted by secondary attacks — extortion, credential stuffing, social engineering — for years after the initial incident. Your incident response plan must include ongoing victim support, threat monitoring, and law enforcement coordination. |
| Prepare for the GDPR | Organisations handling the personal data of EU citizens must prepare now for the GDPR's requirements — data protection by design, the right to erasure, breach notification, and proportionate security measures. The Ashley Madison breach demonstrates, in the starkest terms, the consequences of failing to meet these standards. |
| Treat Data Sensitivity as a Security Multiplier | The more sensitive the data you hold, the higher the standard of security you must apply. If your organisation handles data about people's health, sexuality, finances, legal matters, or political beliefs, your security investment must reflect the catastrophic potential of its exposure. |
Nine months after the Impact Team exposed the intimate secrets of 36 million people, the Ashley Madison breach continues to inflict harm. Extortion campaigns continue. Legal proceedings advance. Regulatory investigations have delivered damning verdicts. And the individuals whose data was exposed — including many who had paid to have that data deleted, and many who had never even used the site — continue to live with the consequences of a company that failed to protect the most sensitive data imaginable.
The Ashley Madison breach is, above all else, a story about trust. Users trusted the company with their most intimate secrets. The company betrayed that trust — through deceptive business practices, through inadequate security, and through a failure to honour its promise of deletion. The breach exposed not only the users' data but the company's dishonesty, and the combination proved catastrophic.
For every organisation that holds personal data — which is to say, every organisation — the Ashley Madison breach offers a lesson that cannot be overstated: the data you hold is not yours. It belongs to the people who entrusted it to you. You are its custodian, not its owner. And the standard of care you must apply is determined not by what is convenient or profitable for you, but by the harm that its exposure would inflict upon them.
This article concludes our two-part deep dive into the Ashley Madison breach. Our next Breach Deep Dive will examine a different incident. To suggest breaches for future analysis, or to discuss any of the issues raised in this series, please contact us.
From penetration testing that identifies hardcoded credentials and legacy vulnerabilities, to Cyber Essentials Plus certification that verifies your baseline controls, to data handling assessments that ensure your deletion promises are genuine — Hedgehog Security helps organisations meet the standard of care that the people behind the data deserve.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call