Who Needs Hackers? You Can Already See Who's on Cheating Site AshleyMadison

It turns out that the dating website that promised married men and women "discreet encounters" in order to facilitate cheating on their partners wasn't so discreet after all.

A mysterious group of hackers calling themselves The Impact Team broke into the website AshleyMadison, a matchmaking site for cheaters with 37 million users, and is threatening to expose their identities. But it turns out that it was already possible to figure out who was registered on the site even before the hack, due to what appears to be negligent security on the part of AshleyMadison.

Thanks to a mistake by the website's developers, anyone can trick AshleyMadison into revealing whether an email address was tied to a registered user's account, as security researcher Troy Hunt explained in a blog post on Monday, where he explained exactly how the trick works.

Say you're worried that your partner is using AshleyMadison.

You can go to the website's "forgot password" form and enter the email address you're interested in. If nobody used that email to register on the site, AshleyMadison will return this message, which is indeed discreet because it doesn't say whether that email address is in the site's database.

But if your partner's is on the site, and used his or her personal email to register, the website will return something slightly different. The message is worded exactly the same, but the box with the email address, and the send button disappear, implicitly revealing that the account does exist.

Hunt was able to figure this out by testing "a dozen" fake email addresses, which caused the site to return the message with the box and the "send" button, and then using a real one he had just registered to test the site.

While this could be a costly mistake, especially for a site like AshleyMadison, there are many other websites that expose their users' identities this way, Hunt told Motherboard.

"Unfortunately it's all too common," he said via chat message. "I would have been surprised if they'd done it right. I'm saddened, but not surprised."

AshleyMadison did not respond to a request for comment.

Hunt, who maintains haveibeenpwned.com, a site that lets people check if their emails has ever been leaked, said that this should serve as a lesson for both websites and users. Websites "need to take better care" of their users' information, he said, and users should "always assume the presence of your account is discoverable" regardless of a breach.

"If you want a presence on sites that you don't want anyone else knowing about," he wrote on his post, "use an email alias not traceable back to yourself or an entirely different account altogether."

This snafu, as well as the hack, is particularly ironic because AshleyMadison not only marketed its service as "discreet" but also publicly and repeatedly boasted of its security practices, and promised to delete user information for an extra fee of $19.

Last year, in an email sent to reporters and bloggers, the website bragged that "the company takes every measure possible to ensure the safety of their members' information."

Even today, after being hacked, AshleyMadison wrote in a statement on its site that "we have always had the confidentiality of our customers' information foremost in our minds, and have had stringent security measures in place."

It looks like that wasn't entirely true.