The hack was wrought by a group calling itself "Impact Team" — it made global headlines after nearly 10 gigabytes of user was dumped onto the dark web. Information included account details, logins, associated email addresses, credit card and other payment information of the site's nearly 40 million.
The website, owned by Avid Life Media, aimed to connect married men and women for the purposes of having affairs, employing the unambiguous tagline, "life is short, have an affair!" — it boasted thousands of cheating wives and husbands signed up every day looking for illicit sexual encounters.
In a statement at the time, Impact Team said the dump was motivated by "the fraud, deceit, and stupidity" of Avid Life Media and the site's users. In particular, the hackers had issues with Ashley Madison's fictitious claim it would delete user data permanently for a one-off US$19 fee.
Among the user list were tens of thousands of US government and military emails. The website did not require email verification however, and therefore users could have signed up using unsuspecting people's email addresses, meaning cheaters may have had some hope of plausible deniability.
However, while the site claimed to be home to 5.5 million active female users, investigation by tech experts revealed the majority of female profiles were fake, often created by automated "bots" — in all, a mere three out of every 10,000 members were in fact women, and those users were typically inactive or rarely used. While 11 million men logged onto the site's chat system, only 2,409 women did the same.
Interesting. I didn’t realize that the Impact Team, those behind Ashley Madison's breach, were never caught. Even w/ a $500K bounty.
— Jeremiah Grossman (@jeremiahg) October 27, 2016
The breach cost parent Avid Life Media over a quarter of its revenue, although the website reportedly added several million users since the hack.
A class action lawsuit was filed against Avid Life Media in August 2015 by two Canadian law firms. Ashley Madison said the hacked information could not be used to identify its members or "prove the infidelity of their clients" — although the company has now relented.
As a result, violated users can get up to US$3,500 depending on how well they can document their losses attributable to the breach — although serious questions hover over how well an individual could calculate such a total, given the obvious difficulty of quantifying the cost of damage to one's dignity.
Nonetheless, the deleterious impact of the hack on the site's users cannot be underestimated — it was reported in September 2015 a New Orleans Baptist pastor outed by the data dump committed suicide less than a week after. Several other suicides have subsequently been reported, including San Antonio Police Captain Michael Gorhum.
On top of proving attributable losses, the judge presiding over the case in 2016 ruled claimants must use their real names. Several plaintiffs were reported to have removed themselves from the claim in the wake of the ruling. It's possible much of the compensation fund will go unpaid.
Despite the apparently epic scale of the hack, its impact seems comparatively trifling to other hacks before and since.
For instance, in 2014, by exploiting a password from one of its stores' vendors, hackers broke into Home Depot's retail credit card system, achieving the largest such breach in history.
Through tinkering of the Microsoft operating system, hackers penetrated the US firm's servers before Microsoft could patch the vulnerability. Hackers were subsequently able to observe payment transactions on over 7000 of the Home Depot self-serve checkout registers, skimming credit card numbers as customers paid for their DIY purchases.
That same year, hackers broke into JPMorgan Chase, the largest bank in the US, breaching seven million small business and 76 million personal accounts via the infiltration of 90 server computers. Somewhat bizarrely, no money was looted from account holders, stealing "only" contact information such as names, addresses, email addresses and phone numbers.
In 2016, it was revealed professional networking site LinkedIn was hacked in 2012, with 117 million users' passwords and logins stolen. The hack was particularly notable given how long it took for the company to realize its extent.