Ashley Madison (Avid Life Media) breach

In July 2015, a group calling itself the Impact Team announced it had breached Ashley Madison, the Toronto-based dating site that marketed extramarital affairs under the slogan "Life is short. Have an affair." The attackers demanded that parent company Avid Life Media permanently shut down Ashley Madison and a sister site, Established Men, or they would publish the site's entire customer database. The company refused — and the attackers followed through.

What happened

The Impact Team obtained access to Avid Life Media's systems and exfiltrated the company's account database along with internal corporate records. On 15 July 2015 they issued their ultimatum; by 19 July the breach was public, and CEO Noel Biderman characterised it as a criminal act. When the company declined to close the sites, the attackers escalated.

On 18 August 2015 the Impact Team published more than 60 GB of data via BitTorrent, covering roughly 32 million accounts. A second dump on 20 August released internal corporate emails, including the CEO's correspondence.

What was exposed

The leaked data included:

Real names, email addresses, and home addresses provided at sign-up
Sexual preferences and account activity
Partial credit-card and payment-transaction records

The dump exposed a particularly damaging fact: Ashley Madison's paid "full delete" service, which charged users to erase their profiles, had not actually removed their data — directly contradicting the company's marketing.

Impact

The fallout was severe and personal. The exposure of named users triggered widespread extortion campaigns demanding Bitcoin payments, and was linked to reports of suicides. CEO Noel Biderman resigned on 28 August 2015.

Regulators acted on the underlying security and marketing failures. In December 2016, the U.S. FTC and 13 states plus the District of Columbia settled with the company (by then renamed Ruby Corp), which agreed to a $17.5 million judgment, largely suspended, paying $1.6 million. The FTC alleged both lax data-security practices and the use of fake "engager" profiles to lure users. In 2017, Ruby Corp agreed to an additional $11.2 million settlement of consumer class-action claims.

Why it matters

The Ashley Madison breach reshaped thinking about the real-world harm of data exposure. Unlike payment-card breaches, where the damage is largely financial and reversible, this leak exposed intimate personal information that could not be undone — fuelling extortion, reputational ruin, and tragedy. It also became a landmark data-deletion and truth-in-marketing case: charging users to erase data the company quietly retained drew direct regulatory action and foreshadowed later "right to erasure" requirements under regimes such as the GDPR.

Timeline

July 15, 2015

The Impact Team breaches Avid Life Media and warns the company to permanently shut down Ashley Madison and Established Men or face full data exposure.

July 19, 2015

The breach becomes public; Avid Life Media's CEO Noel Biderman calls it a criminal act and the company refuses to close the sites.

July 20, 2015

The Impact Team releases an initial sample of customer records to prove the breach is real.

August 18, 2015

More than 60 GB of stolen data — covering roughly 32 million accounts — is published via BitTorrent.

August 20, 2015

A second dump releases internal corporate emails, including CEO correspondence.

August 28, 2015

Noel Biderman resigns as CEO of Avid Life Media amid the fallout.

December 14, 2016

The FTC and 13 states announce a settlement; the company pays $1.6 million of a $17.5 million judgment (largely suspended).

July 1, 2017

Ruby Corp (formerly Avid Life Media) agrees to an $11.2 million settlement of consumer class-action claims.

Sources

en.wikipedia.orghttps://en.wikipedia.org/wiki/Ashley_Madison_data_breach

ftc.govhttps://www.ftc.gov/news-events/news/press-releases/2016/12/operators-ashleymadisoncom-settle-ftc-state-charges-resulting-2015-data-breach-exposed-36-million

krebsonsecurity.comhttps://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/

wired.comhttps://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/

Related incidents

Data breachResolvedAugust 16, 2024

National Public Data SSN breach

A breach of data broker National Public Data (Jerico Pictures) exposed a database of roughly 2.9 billion records containing names, Social Security numbers, dates of birth, and addresses scraped from public and non-public sources, triggering a wave of lawsuits and the company's bankruptcy.

Victim: National Public Data (Jerico Pictures, Inc.)
Records: 2.90B

Data breachResolvedOctober 6, 2021

Twitch source-code and creator-payout leak

A server misconfiguration exposed Twitch's entire Git repository to an anonymous attacker, who leaked 125 GB of data — the full source code with commit history, internal tools, and three years of creator payout figures — as a torrent on 4chan.

Victim: Twitch (Amazon)

Data breachResolvedMay 31, 2016

MySpace credentials breach

Credentials for roughly 360 million pre-2013 MySpace accounts surfaced for sale on the dark web in 2016. The passwords were stored as unsalted SHA-1 hashes, making one of the largest credential dumps ever disclosed trivially crackable.

Victim: MySpace (Time Inc.)
Records: 360.0M

Data breachResolvedApril 26, 2011

Sony PlayStation Network breach

Intruders penetrated Sony's PlayStation Network and Qriocity, compromising personal data on roughly 77 million accounts and forcing a 23-day global outage — one of the largest consumer data breaches of its time.

Victim: Sony Network Entertainment / Sony Computer Entertainment
Loss: $171.0M
Records: 77.0M