More Ashley Madison files published

Show Caption Hide Caption Josh Duggar reportedly had Ashley Madison account After hackers said they released nearly 10 GB of data from users of the marital affair website Ashley Madison, Gawker said they found an account opened with the credit card of embattled '19 Kids and Counting' star Josh Duggar.

EDITOR'S NOTE: USA TODAY has learned that a source in this story, Klara Jonsson, was using an alias. We still believe the analysis to be correct.

SAN FRANCISCO — For some cheaters, life has gotten even worse.

On Thursday, the group who hacked last month into Ashley Madison, doubled down, posting what appears to be another 20 gigabytes of data — including the CEO's emails.

On Tuesday, the attackers, who call themselves the Impact Team, had posted a 10-gigabyte file purporting to be from the popular website for married people looking for affairs.

The latest release onto the dark Web includes more customer data files and what are said to be email boxes from several of the company's top executives, Wired magazine reported.

The company has called the posting "an act of criminality."

"It is an illegal action against the individual members of AshleyMadison.com, as well as any freethinking people who choose to engage in fully lawful online activities," the company said in a statement.

The Impact Team had demanded that the site's owner, Avid Life Media, take the site down. When it didn't, it posted the 10-gigabyte file containing databases that include 28 million unique email addresses.

The posting Thursday included more internal company data including a file named noel.binderman.mail.7z, which seems to be the email of Avid Life CEO Noel Binderman, Wired reported.

Analysis of the email addresses in the databases show that most come from webmail providers, said Robert Hansen, vice president of WhiteHat Labs at the computer security company WhiteHat Security, which independently studied the data.

The top most-used domains were Gmail.com, with 8.7 million, Yahoo.com with 6.6 million, Hotmail with 6.2 million and Aol.com with 1.2 million, Hansen found.

Surprisingly, there were at least 13,000 addresses from military and government emails with .mil and .gov addresses.

The military services are investigating reports that troops may have used the online service Ashley Madison to arrange extramarital affairs, Defense Secretary Ash Carter said Thursday.

The issue is important to the Pentagon, he said, because the military expects "good conduct" from servicemembers. Military law prohibits extramarital affairs.

The Army is looking into potential abuses related to the Ashley Madison website, said Lt. Col. Jesse Stalder, an Army spokesman.

"Army professionals voluntarily incur an extraordinary moral obligation to uphold the Army values, which apply to all aspects of our life," Stalder said. "Online misconduct is inconsistent with Army values and we are committed to ensuring that online-related incidents are prevented, reported and addressed."

A far lower number of addresses came from Fortune 500 companies. In a sampling, Hansen found just 804 from microsoft.com, 313 from apple.com and 76 from bankofamerica.com.

Hansen found two emails from usatoday.com and four from gannett.com, USA TODAY's parent company.

The information available for each user was extensive.

"It's everything from their name, age, interests, whether they smoke or drink, down to very detailed sexual fantasies, what they enjoy having done to them and what they want to do to others," said Adam McNeil, a malware intelligence analyst at Malwarebytes Labs, a Santa Clara, Calif.-based computer security firm who has inspected the database.

Though it's probably the least of users' worries, the site did encrypt their credit card data. That makes it more difficult, though not impossible, to access. So far, the credit card information hasn't shown up for sale on the dark Web, McNeil said.

The median age of the users was 46, with few younger than 30, an analysis posted online by data scientist Klara Jonsson found.

Gender was very skewed, though the database only identified users as either belonging to Gender 1 and Gender 2. Gender 1 made up 13.9% of users and Gender 2 was 86.1%.

"I'm no genius, but I would say I am pretty sure Gender 2 is male," Jonsson said in her analysis,

There are clearly multiple fake entries, probably created by people seeking to mask their own identities. For example, Hansen found more than a dozen using the name Barack Obama, all with different email addresses.

The Ashley Madison site didn't appear to check to make sure that email addresses were valid before they were stored in its database "so all of this data should be taken with a grain of salt," Hansen said. "This is just a great example of how personal data becomes a liability for companies unless they can guarantee safeguards."

The release of the data is going to unleash a flood of phishing attacks on unsuspecting users, security experts warn. Anyone who wants can now go and download millions of email addresses and use them to send out phishing messages that contain malicious software that the unwary or the worried might open, said Ken Westin, senior security analyst at Tripwire, a Portland, Ore.-based security company.

He's also anticipating a wave of emails with links purporting to "fix" the leak for those with guilty consciences. But instead, the websites they lead to will download malware onto the users' computers.

"I'm sure hackers are writing them right now," he said.

Follow USA TODAY reporter Elizabeth Weise @eweise