August 27, 2015: Just over a week after the first major data dump, reports of blackmail and identity theft targeting leaked Ashley Madison users surface.August 28, 2015: Noel Biderman, whose emails were leaked in the second major Ashley Madison data dump, stepped down on Friday.August 24, 2015: After analyzing many of Noel Biderman's emails that were leaked in the second data dump, Brian Krebs publishes an article stating that there is evidence that Ashley Madison founding CTO Raja Bhatia had hacked competing dating site in 2012.The leaked emails also included messages from Ashley Madison director of security Mark Steele warning Biderman of multiple cross-site scripting and cross-site request forgery vulnerabilities in their codebase. August 25-26, 2015: The data dumps continue with state-by-state leaks of personal data of Ashley Madison users from New Jersey, New York, California, Georgia, and Arkansas appearing on Pastebin.August 18, 2015: Following the first data dump, Avid Life Media issues another statement on the hack detailing their investigation and asking for information on the incident.August 18, 2015: A categorical breakdown of the email addresses disclosed in the first data dump is posted to Pastebin, revealing many government, military, and corporate addresses that were used to sign up for Ashley Madison accounts.August 20, 2015: Impact Team leaks a second major dump of Ashley Madison data.Unlike the first, which was primarily user data, this dump contains nearly 20 gigabytes of mostly internal data, including Avid Life Media CEO Noel Biderman's emails and Ashley Madison website source code.
Leaked data includes a full list of government emails used for accounts (sorted by department) as well as lists of Ashley Madison users in Mississippi, Louisiana, and Alabama.
A 13 gigabyte file containing Biderman's email is found to be corrupted, and is quickly replaced with the release of a 19 gigabyte file of the CEO's email data.
August 21, 2015: In an interview with Vice, Impact Team claims to have over 300 gigabytes of hacked Ashley Madison data.
September 9, 2015: Security researcher Gabor Szathmari announces that he has discovered poor security practices in Ashley Madison source code, the worst offense being hardcoded security credentials including "database passwords, API secrets, authentication tokens and SSL private keys." Aside from hardcoded credentials, Szathmari also noted that the website didn't employ form or email validation to help screen out bots.
Citing numerous critical security risks for Ashley Madison's systems, Szathmari's discovery sheds some light on potential methods that could have been used in the attack.