Toronto police want hackers' help to find out who released the data of more than 30 million users of the affair-enabling website Ashley Madison. One month after the intrusion, the website is offering a bounty of $500,000 (Canadian), and police are also looking into two deaths to determine whether they are related to the breach.
Providing an update on the case after a new batch of user data was released last week, police in Toronto said Monday that "there are two unconfirmed suicides linked to the breach," according to Canada's CBC News.
"Police wouldn't provide any details about the suspected suicides or where they occurred," Dan Karpenchuk reports from Toronto for our Newscast desk. "They say there were also reports of hate crimes connected to the hack."
The new reward was announced at a police news conference Monday. Ashley Madison's parent company, Avid Life Media, is based in Toronto; its reward for information leading to an arrest and prosecution is worth around $378,000 in U.S. currency.
The hack of a site that promised discretion — and, until recently, charged an extra fee for users to delete their accounts — has resulted in "spinoff crimes and victimization," police said Monday, in an apparent reference to sites that promise to help Ashley Madison's users but actually seek to collect more of their data, and possibly their money. The police also called for anyone who is being extorted over the information to contact the authorities.
Unlike some other sites we're seeing out there, Have I Been Pwned, run by security expert Troy Hunt, allows people to search for an email address in the Ashley Madison hack only after they've been verified as having log-in credentials for that account.
Hunt created a searchable database of email accounts from the hackers' recent "data dump"; since then, he writes, he's gotten a wide range of messages: from the site's admitted users; from those who say they were only checking on their partner; from people who say they were drunk, bored, and/or single when they created an account; and from those who say a stranger used their email on the site.
"I am hoping to find out how much of my data is exposed and to prepare for the worst," one user wrote in an email Hunt excerpted. Another wrote, "So got a call, from our church leaders yesterday, saying my husband's work email was on [redacted], oh my!"
Other people wrote to Hunt asking for his help, saying they couldn't recall what information they put in their profile — and that they had deleted their email account soon after learning about the hack.
Of the messages, Hunt writes:
"I hope it demonstrates how much of an impact this is having on lives, both those who set out to cheat on their spouses and the innocent bystanders be they accidental members, curious onlookers or the partners of those who have been outed. This incident needs to be approached with the understanding that for many people, this is the worst time of their life and for some, it feels like the end of it."
As for the impact that the hack has had on the Ashley Madison site, that's hard to determine. Despite the extraction of millions' of people's personal information, the site — which uses the slogan, "Life is short. Have an affair" — seems to have added nearly 2 million more users to its service since last month, according to its online ticker.
In discussing the data breach by a person or persons known as The Impact Team today, Toronto police also provided more details about how the case developed.
It all began on July 12, they said: "When several Avid Life Media employees arrived at work and powered up their computers, a threatening message appeared on their screens, accompanied by the AC/DC song Thunderstruck."
The company then took its own measures to fight the attack before contacting the police eight days later, Acting Staff Superintendent Bryce Evans said. After the company refused the hacker's demands to take two of its sites — Ashley Madison and Established Men — offline, the customer data were released.
Law enforcement agencies in Canada, the U.S. and elsewhere are now working on the case, which Evans says "is unique in that it exposed tens of millions of people's personal information, including credit card data."