'

Ashley Madison hack: How much user data did 'Paid delete' function obliterate?

Ashley Madison has insisted the site's $19 paid delete feature removed all account information, but a new report suggests otherwise.

screen-shot-2015-08-24-at-12-27-42.png

An investigation into the leaked data of Ashley Madison has cast doubt on the firm's claims that the 'Paid delete' function completely wiped user data.

Former users of the Ashley Madison casual encounters website have been thrown into the fire due to a devastating cyberattack. Following a data breach which exposed the sensitive personal data of millions of subscribers, panic has ensued in circumstances where a partner is at risk of being accused of cheating, suicides have been reported and relationships broken.

This cyberattack goes far beyond company reputation and financial damage -- due to the nature of the website, this data breach has had a profound effect on relationships worldwide.

The group which took responsibility for the breach, dubbed Impact Team, said the original reason for taking on Ashley Madison was not only to expose "cheating dirtbags," but was in retaliation for a "Paid delete" account function which allegedly did not work as advertised. In a manifesto alongside the first batch of leaked data, the hackers said:

"Full Delete netted ALM $1.7mm in revenue in 2014. It's also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed."

While Ashley Madison parent company Avid Life Media (ALM) has insisted the 'Paid delete' function eradicates all information pertaining to the user, a report from The Register suggests that while some data was indeed removed when users paid their $19 fee, not everything was scrubbed from servers.

According to the publication, some user database column entries were deleted by the "< paid_delete >" entry, including email address, first and last names, physical addresses, phone numbers and security question answers. However, GPS data, city, state, country, weight, height, date of birth, gender, ethnicity and sexual preference information, among other data, would not be removed -- all of which put together may be enough to identify individual users.

A class-action complaint (.PDF) filed in a US District Court in California alleges that ALM neglected to protect the personal data of users. According to the complaint:

"This massive data breach could have been prevented had Defendants taken the necessary and reasonable precautions to protect its users' information by, for example, encrypting the data entrusted to it by its users on a database level so that any information hacked and downloaded appeared in the encrypted format."

See also: Ashley Madison hack: A savage wake-up call which is only the beginning

This week, Brian Krebs said a Twitter user, Thadeus Zu, may be a member of Impact Team. The security expert's investigation and clues such as retweets and rock music references led him to believe if Zu is not a white hat security researcher or confidential informant who has infiltrated Impact Team, then "he certainly knows" who was involved in the hack.

Zu has refuted these claims, tweeting:

screen-shot-2015-08-27-at-10-13-12.png
screen-shot-2015-08-27-at-10-13-17.png

This exchange has not gone unnoticed by law agencies, however, and the Toronto Police force is investigating.

Read on: Top picks

In pictures: