EXCLUSIVE: European Union officials used their work email addresses to register with online adultery site Ashley Madison, EURACTIV can reveal.

The no-strings sex site, which has the slogan ‘Life is short. Have an affair’, was hacked and 36 million users’ personal data was published by a group calling themselves ‘The Impact Team’.

The revelations will raise questions over potential security breaches through hacking or blackmail. Ashley Madison had guaranteed the data would be kept secret to enable clandestine meet-ups behind partners’ backs before the hack.

A EURACTIV investigation found that eight Commission officials – including one Head of Unit – used their workplace “@ec.europa.eu” email addresses to sign up to the Canada-based adultery website.

Three European Parliament workers, including a policy advisor to a major political group, used their “europarl.europa.eu” address to register with the service.

No Council of Ministers or European Central Bank emails showed up in the search of the dumped data. But one from the European External Action Service, the EU’s foreign affairs desk, and another from pan-EU financial regulator, the European Securities and Markets Authority, appeared.

Another email address, from the EUFOR rapid reaction force, was also listed in the data dump.

EURACTIV has decided not to publish the names of the officials – 13 men and one woman – out of respect for their privacy.

There is no information to suggest that any of the EU staff using their work email to register on the site actually had an affair, or that their account was still actively being used. It is also possible that the addresses were harvested from elsewhere on the Internet, or simply stolen.

But one of them was listed as having paid $82 to the site, which has offered a €332,000 reward for info on the hackers.

Credit cards, addresses and sexual preferences

The stolen data, which is easily available online, includes addresses, credit card details, sexual orientation and what the user is looking for in a sexual partner.

Some of that information could potentially be used by criminal or even terrorist groups to blackmail EU officials.

The data also includes questions and answers to retrieve forgotten passwords as well as encrypted passwords. Those questions and answers could be used to change passwords and access accounts. If a user has the same secret questions and answers for multiple websites, that could lead to a security breach.

15,000 US government and military officials used their official email addresses for Ashley Madison accounts, the Associated Press reported.

Cybersecurity experts warned that US bureaucrats looking for extra-marital affairs had opened the door for hackers, including spies, to sensitive government material.

American Enterprise Institute fellow Shane Tews told the Daily Caller News Foundation that if even one federal official used a government computer or email to open a fake message from Ashley Madison that contained malware, all the information stored at the agency could be compromised. The technique is called ‘spear phishing’.

Web security experts told the Guardian that banking staff using the site could be vulnerable to blackmail in the wake of the data dump.

Data protection rules

The EU’s data protection rules applies to businesses that operate in Europe. The European Commission has recognised Canada as having adequate data protection since 2001, a stamp of approval that allows companies to transfer data from Europe to Canada.

Avid Life Media, the parent company behind Ashley Madison, has employees in Europe and announced this spring that it’s seeking an IPO in London.

Ashley Madison’s website still displays a ‘trusted security award’ and ‘100% discreet service’. Since the dump, there have been reports of at least two suicides.

EURACTIV has contacted the European Commission and European Parliament for comment. This story will be updated once responses are received.