TORONTO — Personal information about Ashley Madison clients exposed in a massive data breach this week doesn't prove their infidelity, the adultery website said Thursday as it took pains to reassure nervous members and suspicious spouses.
The company investigating the breach for Ashley Madison confirmed the website doesn't verify email addresses used to sign up for the service, nor does it collect phone numbers or store full credit-card numbers.
"This means that anyone could have used any email address to sign up for an account," Joel Eriksson, the chief technology officer for Toronto cyber-security company Cycura, said in an email.
"So a list of email addresses is not proof of anyone's membership."
He added that Avid Life Media, Ashley Madison's parent company, doesn't check the authenticity of email addresses, precisely to ensure no account can be conclusively linked with a specific person.
"By not having email verification, users have plausible deniability with regards to their membership status," he said.
"Note that verification of email addresses are mostly relevant to sites that harvest personal information as a part of their business model, and want to tie each user to an identity. In this case, that would not be in the best interest of either the users nor (Avid Life Media)."
People can speculate based on the data leak, Eriksson added, but there's no smoking gun.
Scouring the data for familiar names or email addresses among the site's more than 35 million registered members has become a popular pastime for worried spouses and curious Internet users worldwide.
There are hundreds of email addresses in the data release that appear to be connected to federal, provincial and municipal workers across Canada, as well as to the RCMP and the military.
Cycura is investigating the breach along with the FBI, RCMP, OPP and Toronto Police Services.
Eriksson says the source code used by Avid Life Media is being audited for "vulnerabilities and backdoors" though it doesn't appear that any software vulnerability was exploited in the breach.
Ontario government technology experts are also looking into the leak after dozens of provincial email addresses were linked to Ashley Madison account-holders. Provincial officials say if any civil servants used their work emails to set up their Ashley Madison accounts, that would be considered a misuse of government IT resources.
Attorney General Madeleine Meilleur's office says "information and technology officials are looking into whether any misuse has occurred."
A spokesman for the Manitoba government said the province has a policy stipulating that "employees must not access Internet sites that might bring the government of Manitoba into disrepute." Those who violate it may face disciplinary action that could include dismissal.
Two law firms are attempting to launch a class-action lawsuit against Ashley Madison's parent company. Their lead plaintiff is an Ottawa man who joined after his wife of 30 years died. The proposed class action alleges the privacy of thousands of Canadians was breached.
South of the border, The Associated Press reported that hundreds of U.S. government employees — including some with sensitive jobs in the White House, Congress and law enforcement agencies — used Internet connections in their federal offices to access and pay membership fees to Ashley Madison.
The federal workers included at least two assistant U.S. attorneys; an information technology administrator in the Executive Office of the President; a division chief, an investigator and a trial attorney in the Justice Department; a government hacker at the Homeland Security Department and another DHS employee who indicated he worked on a U.S. counterterrorism response team.
Few actually paid for their services with their government email accounts. But the AP traced their government Internet connections — logged by the website over five years — and reviewed their credit-card transactions to identify them.
They included workers at more than two dozen Obama administration agencies, including the departments of State, Defence, Justice, Energy, Treasury, Transportation and Homeland Security. Others came from House or Senate computer networks.
The AP did not name the government subscribers it found because they are not elected officials or accused of a crime.
