Website of the YearCouncil staff, youth workers, health professionals and a lawyer are among the Kiwi civil servants linked to account details hacked from adultery website AshleyMadison.com.
A 9.7GB file was leaked online by hackers yesterday, with the information dump claiming to contain account details of 32 million customers worldwide - including an estimated 22,000 New Zealanders.
Among the alleged Kiwi clients are 32 accounts linked to government agencies, including a fake address for Prime Minister John Key, while four of the 32 email addresses appear in the list twice.
Inspection of the addresses suggests the email accounts of a Hawkes Bay legal professional, a parliamentary worker, six district health board workers and three youth workers are among those linked to the cheating website which has the motto: "Life is short. Have an affair".
Advertisement
Advertise with NZME.The addresses of youth workers relate to the Ministry of Social Development, Ministry of Youth Development and the Department of Corrections, while the health boards linked include the Auckland, Southern, Canterbury, Hawkes Bay and Waitemata boards.
Also appearing are seven council-related addresses, including three from Auckland Council and council-controlled organisation Auckland Transport.
Other government email accounts supposedly used include the police, New Zealand Transport Agency, Department of Conservation, New Zealand Food Safety Authority, Inland Revenue, New Zealand Trade and Enterprise and Ministry of Business, Innovation and Employment.
Ashley Madison's sign-up process does not require verification of an email address to set up an account.
This means addresses might have been used by others, and does not prove that person used the site themselves.
A spokeswoman for the Prime Minister confirmed last night that that email address linked to his office "doesn't even exist" and was clearly not Mr Key's email.
"So it's kind of ridiculous.
" ... it's not a correct email address and I imagine quite a few of them won't be," she said.
Advertisement
Advertise with NZME.How to search Ashley Madison leak
When a team of hackers calling themselves "the Impact Group" claimed to break into spouse cheating site Ashley Madison last month, millions of users held their breaths: See, even though Ashley Madison confirmed there was a hack, no one had posted any actual user data yet.
That changed this week, when the Impact Group published a 10-gigabyte trove of user data - including names, phone numbers, email addresses and credit card fragments - to the Dark Web.
While Ashley Madison has not confirmed that the information is authentic, several security researchers have already said that it appears to be: Multiple users have independently confirmed that their names appeared in the leak.
But if you're worried about appearing on the list, yourself, you don't need to download Tor or scour Pirate Bay for the right Torrent. At least three sites are republishing Ashley Madison's user data on the public-facing internet.
CheckAshleyMadison.com, which went up overnight, claimed it could tell you if an email address or phone number appears in the leaked files. It has since been forced offline by action from Ashley Madison.
"Ashley Madison users who were in committed relationships were taking comfort in the fact that their significant others were not able to Torrent things," the site's creator told The Washington Post while they were still active.
Advertisement
Advertise with NZME."Our site upsets that in making it easier for people to find out if their spouse was a part of the site."
Trustify, a sort of Uber for private eyes, said in a statement that it was also updating its hacked-email search tool to add the Ashley Madison files.
And Have I Been Pwned, a site that tracks major data breaches around the web, just finished loading more than 30.6 million email addresses into its database; unlike the other sites, however, Have I Been Pwned will only share data from the Ashley Madison leak with users who have verified their email address with the service and subscribed for notifications.
In other words, Have I Been Pwned (HIBP) will not allow suspicious spouses, nosy co-workers or other passerby to see if someone else was an Ashley Madison user. It will only allow the actual user to check if his or her name was included in the leak.
It's a novel response to a situation whose ethics remain enormously murky: If private data is hacked - particularly sensitive, compromising data - who is ultimately responsible for the consequences of that leak? Is it the site that failed to secure the data, the hackers who obtained it, the third parties who republished it, often for profit - or some combination of the three?
"There's no escaping the human impact of it," HIBP's creator, Troy Hunt, wrote in a lengthy blog post explaining why the Ashley Madison data wouldn't be searchable on his site. "The discovery of one's spouse in the data could have serious consequences ... I'm not prepared for HIBP to be the avenue through which a wife discovers her husband is cheating, or something even worse."
Advertisement
Advertise with NZME.Computer security expert Graham Cluley warned against witch hunts on his blog.
"For one thing, being a member of a dating site, even a somewhat seedy one like Ashley Madison, is no evidence that you have cheated on your partner," he wrote. "You might have joined the site years before when you were single and be shocked that they still have your details in their database, or you might have joined the site out of curiosity or for a laugh ... never seriously planning to take things any further."
Cluley also wrote recently about the real risk that a leak could lead to suicide.
"What the howling wolves doesn't seem to understand is what they are doing is online bullying. The kind of bullying that clearly can cause such personal tragedies," he wrote.
Data leak Q&A
What is Ashley Madison?
Ashley Madison is a Canadian-based online dating service and social network for people who are married or in a long-term relationship. Its slogan is "Life is short. Have an affair." It was launched in 2001.
Advertisement
Advertise with NZME.How does the website work?
Users don't pay a subscription, but have to pay to send other Ashley Madison members messages or virtual "gifts". Each profile explains whether members are looking for a "cyber affair", long-term relationship or short-term fling.
Who hacked the website, and why?
Hackers calling themselves the "impact team" posted a manifesto on the site in July. They claim to have hacked the site for moral reasons, stating: "Too bad for those men, they're cheating dirtbags and deserve no such discretion." But it also criticised the site's handling of users' data. They claim the site lied when it promised to delete personal details from the site for a fee.
What have the hackers published, and where?
The group released the information over the dark web - meaning it is not accessible to the less tech savvy - and includes the names, addresses, phone numbers and credit card information of the site's members.
Advertisement
Advertise with NZME.Are all of the personal profiles genuine?
It is unclear. Because the site does not require email verification, a user could pick any email address to adopt as their own and use random phone numbers.
What can people do if they find their names online?
In a word: apologise.