The Ashley Madison Hack Is Not OPM (But the Government May Be Watching It Anyway)

AA Font size + Print

Thousands of the site’s affair-seeking users registered from .mil and .gov domains — at least ostensibly.

At some point on Monday, the hacker group Impact Team made good on a promise to release personally identifiable data of some 38 million users of, a site that bills itself as a matchmaker for the adulterous. By Wednesday, the data dump had become international news.

A California-based data researcher who goes by t0x0 on Twitter found the set online and did some basic parsing and statistical analysis. Among the more predictable revelations: most of the registered accounts — 28 million — belong to men. And thousands of the accounts appeared, at least upon initial inspection, to belong to military servicemembers.

In the database, there were 6,788 accounts connected to emails at; at, 1,665;, 809;, 657; and, 206. And there were a few other domains with national security implications:, 45;, 44; and, 5. (Here’s a list of all the individual .mil domains, and here are lists of the and domains.)

What’s the real blackmail potential here? Probably limited, since the material has already been made public. Moreover, much of the account information is obviously inaccurate — many of the email addresses use false domains, and it’s a good bet that many more are simply made up. reportedly neither required nor checked to make sure an applicant’s given email was valid.

“Clearly, there are plenty of false records, including those from the White House, or,” said CSO Online’s Steve Ragan. “However, the records with full account details, including profiles matched to personal and financial records, are going to be harder to dispute.” That is to say: credit card information is a more reliable identifier.

Does it represent a national security risk?

Patrick Skinner, a former CIA operative now with the Soufan Group, doesn’t think so. In an email, he called it “a minor issue in terms of matching names on the Madison data dump and the OPM hack. Might bring up awkward blackmail attempts perhaps. I’m sure people will try. But one can claim the emails are spoofed.”

People in the national security community are already under extra scrutiny, but that can ratchet up if you’re having an extramarital affair, or are spotted trolling for one. That makes you a blackmail risk, and therefore a potential insider threat.

At a Defense One LIVE event last month, Patricia Larsen, co-director of the National Insider Threat Task Force, said marital issues were one of many potential indicators that they would look at as part of a continuous evaluation.

“There’s a lot of information about you that’s already out there. We want to put it together in one place so we can short circuit the information gathering point,” Larsen said. “We haven’t waited three, four, or five years to see that, you’ve got some nasty credit problems, going through a nasty divorce, and are starting to get worse and worse evaluations over time.”

Someone attempting to access from an government-issued device or from a work computer on the or domains probably doesn’t pose much of a corruptable threat, at least nothing that the Defense Department isn’t already aware of.

A Defense Department official familiar with the insider threat program said, “It depends on how deeply they were getting into the sites from work. There’s a possibility we would have already found them through user activity monitoring. We monitor for certain things.”

In other words, stop screwing around and get back to work.

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation


When you download a report, your information may be shared with the underwriters of that document.