Ashley Madison leak prompts city probe

Three city of Cincinnati email domains were listed among the millions of emails registered to a popular spouse-cheating website, and the city’s top administrator wants to know which taxpayer-funded employees might be responsible.

“We are going to pursue it,” City Manager Harry Black told The Enquirer on Wednesday night. “We have some information, but not enough. I don’t know if it would be a fireable offense, but we will look at our Internet-use policy.”

The email domains were part of a massive data breach by hackers of the Ashley Madison website, which claims to have 39 million members and boasts about being a matchmaker for extramarital affairs.

The hackers on Wednesday released millions of email addresses registered to the website, saying in a posted message they exposed the information because Ashley Madison’s Toronto-based owner has refused to comply with their demands to shut down the website.

Black does not have a timetable for his investigation. Even once he finds out who the email domains are linked to, it’s possible those employees did not register on Ashley Madison and have never even heard of it. The website does not require email addresses to be verified, thus members could use another person’s email address to sign up and log onto Ashley Madison.

Black says the city has a “very stringent” Internet policy, and city-issued computers have a monitoring system that blocks access to several websites.

“All we can do is look at our protocols and programming of software and make sure it is as all-encompassing as possible,” Black said. “But nothing is going to be fail-safe in 2015.”

Many other government-issued email domains from across Ohio were listed in the data breach, according to an Enquirer analysis. The city of Columbus had five email domains on the list. The cities of Akron, Toledo, Troy and Tiffin also had email domains listed.

The French leak monitoring firm CybelAngel said it counted some 15,000 .gov or .mil email addresses in the data dump, suggesting that U.S. military personnel and government employees had opened themselves up to possible blackmail, The Associated Press reported.

Using a government email to register for an adultery website may seem foolish, but CybelAngel Vice President of Operations Damien Damuseau said there was a certain logic to it. Using a professional address, he said, keeps the messages out of personal accounts “where their partner might see them.”

“It’s not that dumb,” Damuseau said.

Ashley Madison’s owner, Avid Life Media Inc., has previously acknowledged suffering an electronic break-in and said in a statement Tuesday it was investigating the hackers’ claim. U.S. and Canadian law enforcement are involved in the probe, the company said.

The Associated Press wasn’t immediately able to determine the authenticity of the leaked files, although many analysts who have scanned the data believe it is genuine.

TrustedSec Chief Executive Dave Kennedy said the information dump included full names, passwords, street addresses, credit card information and “an extensive amount of internal data.” In a separate blog, Errata Security Chief Executive Rob Graham said the information released included details such as users’ height, weight and GPS coordinates. He said men outnumbered women on the service five-to-one.

The Associated Press contributed.