TORONTO – The apparent email addresses of hundreds of Canadian federal, provincial and municipal government employees are contained in a massive leaked list of names purported to be users of Ashley Madison, a matchmaking website for cheating spouses.
Ashley Madison does not send verification emails, meaning the accounts might not belong to actual users of the site and could simply be the work of disgruntled tricksters. Further, the data goes back to 2004, suggesting some email addresses may no longer be operational.
In a statement, Toronto-based Ashley Madison’s parent company, Avid Life Media, said it was actively monitoring and investigating the leak to determine the validity of any information posted online.
It did not immediately respond to a question about why people can register for Ashley Madison with unverified or fake email addresses.
Federally, more than 170 addresses associated with the Canadian Armed Forces are on the list, and hundreds more from other departments and agencies, including justice, public works, the Canada Revenue Agency and the RCMP.
At least one MP was registered by name. Several email addresses attached to the Senate were registered although not under any sitting senators’ names.
According to data on AshleyMadison.com, there were more than 55,000 users on the website living in Ottawa in 2013, making it the most infidelity-friendly city in Canada.
There were also municipal government email addresses on the list, including 78 in Toronto, 41 in Ottawa and 32 in Calgary. Dozens of university email addresses are also included.
Hackers leaked the list after claiming Ashley Madison refused to bow to their demands to close the site. A message posted online said “Time’s Up!” and accused parent company Avid Life Media of deceit and incompetence.
Computer security expert Brian Krebs, who writes the KrebsOnSecurity blog, said many of the leaked accounts appeared to be little more than a name and an email address, raising questions about their authenticity.
“But when you start factoring in payment information, that becomes harder to explain,” he said.
Krebs said Ashley Madison does not send verification emails and allows multiple accounts to be linked to a single email address in an effort to aid users’ privacy.
“They wanted to remove the ability for anybody to do that reconnaissance and try to register to find out if somebody was already a member,” he said. “They wanted their users to have deniability.”
Krebs said it was unsurprising that some of the emails were attached to government accounts, but he declined to speculate on the motivations of those who signed up.
“This wouldn’t be the first time that people have signed up for services that they wouldn’t want their name associated with on the front page of the newspaper,” he said. “You put yourself in a compromising situation, but people do it all the time.”
Hackers claim to have exposed data on millions of spouses who signed up to Ashley Madison.
“Now everyone gets to see their data,” a message posted by the hackers said.
Ashley Madison has long courted attention with its claim to be the Internet’s leading facilitator of extramarital liaisons, boasting that “thousands of cheating wives and cheating husbands sign up every day looking for an affair.” Avid Life Media has previously acknowledged suffering an electronic break-in.
Canadian and U.S. law enforcement are involved in the probe, the company said Wednesday.
The federal privacy commissioner’s office is looking into the apparent disclosure.
“We have been in communication with the company to determine how the breach occurred and what is being done to mitigate the situation,” said Tobi Cohen, a spokeswoman for the commissioner. “Given the global scope of the breach, we have also been in contact with other data protection authorities.”
Many U.S. analysts who have scanned the data believe it is genuine.
TrustedSec Chief Executive Dave Kennedy said the information dump included full names, passwords, street addresses, credit card information and “an extensive amount of internal data.”
In a separate blog, Errata Security Chief Executive Rob Graham said the information released included details such as users’ height, weight and GPS co-ordinates. He said men outnumbered women on the service five-to-one.
A call to Avid Life Media wasn’t returned. The hackers didn’t immediately return emails.
The number of people who actively used the site to seek sex outside their marriage is an open question. But whatever the final number, the breach is still a humbling moment for Ashley Madison, which had made discretion a key selling point. In a television interview last year, chief executive Noel Biderman described the company’s servers as “kind of untouchable.”
— With files from The Associated Press and CP’s Peter Henderson