In July 2015, a group calling itself "The Impact Team" stole the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. The group copied personal information about the site's user base and threatened to release users' names and personally identifying information if Ashley Madison was not immediately shut down. On 18 and 20 August, the group leaked more than 25 gigabytes of company data, including user details.
Because of the site's policy of not deleting users' personal information – including real names, home addresses, search history and credit card transaction records – many users feared being publicly shamed.
The Impact Team announced the attack on 15 July 2015 and threatened to expose the identities of Ashley Madison's users if its parent company, Avid Life Media, did not shut down Ashley Madison and its sister site, "Established Men".
On 20 July 2015, the website put up three statements under its "Media" section addressing the breach. The website's normally busy Twitter account fell silent apart from posting the press statements. One statement read:
"At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber-terrorism will be held responsible. Using the Digital Millennium Copyright Act (DMCA), our team has now successfully removed the posts related to this incident as well as all Personally Identifiable Information (PII) about our users published online." The site also offered to waive the account deletion charge.
Although Ashley Madison denied reports that a mass release of customer records occurred on 21 July, over 60 gigabytes worth of data was confirmed to be valid on 18 August. The information was released on BitTorrent in the form of a 10 gigabyte compressed archive and the link to it was posted on a dark web site only accessible via the anonymity network Tor. The data was cryptographically signed with a PGP key. In its message, the group blamed Avid Life Media, accusing the company of deceptive practices: "We have explained the fraud, deceit, and stupidity of ALM and their members. Now everyone gets to see their data ... Too bad for ALM, you promised secrecy but didn't deliver."