According to Krebs and others, the breach may have been the result of a leak by a former employee or by a disgruntled employee who provided the access data to The Impact Team or who was part of the hacking team.
As unfortunate as the Ashley Madison breach might be for the people who had signed up for the service, the potential danger goes far beyond their potential credit card numbers or personal embarrassment.
While the initial public exposure of the data was limited and apparently brief, it was not a secret. Worse, if the information is ultimately made available in public, it will become a treasure trove for cyber-criminals.
But the real risk goes even beyond that. Consider that 37 million people is about one fifth of the U.S. adult population between 25 and 65, an age group that represents the bulk of the Ashley Madison population.
The potential overlap between this huge group of people and the personal information contained in other breaches, notably the breach of the U.S. Office of Personnel Management databases that took place earlier this year is unclear. But the fact is that there will be some people who appear on both lists.
While the overlap may not be large, if only because people in the OPM breach with high security clearances are less likely to be ALM customers because of the nature of their background checks, statistically the likelihood is that there will be overlap.
Now, imagine that you're the state-sponsored hacking group that ended up with the data from OPM. What better way to come up with a short list of people that you will try to blackmail?
It won't be a total success because there will be some who have resolved their need to have affairs by becoming single. But there will also be those who will do anything to prevent their spouses from finding out that they were on the list, never mind the preferences and photos.
And therein lies the lurking security problem of websites where someone else controls your data. It's bad enough when the bank or your favorite department store loses your credit card numbers. But the security problem created by data that's very personal getting out is orders of magnitude worse.
Worse, there's no good way to resolve a problem like this, short of avoiding this kind of dating site. Perhaps the best way to approach this sort of problem is to only share personal information that you don't mind if it's released in the public domain.