Complaints to U.S. Federal Trade Commission about Ashley Madison show examples of people alleging false accounts made under their names.
Complaints made against Ashley Madison show how difficult it is to know which names leaked this week were actual customers.
Allegations filed with the U.S. Federal Trade Commission include one from a man whose 12-year-old daughter’s email was used to create an account, and another from a woman who was on maternity leave when someone used her work email account to register with the Toronto-based adultery website.
Although small in number, the 59 complaints made since 2009 call into question how many of the site’s 39 million registered users are actually the people whose email addresses were used to set up accounts.
“Often when you have numerous complaints saying the same thing, where there’s smoke, there’s fire,” said Woodrow Hartzog, a professor at Samford University’s Cumberland School of Law.
Ashley Madison declined to comment on specific complaints, but instead reiterated its commitment to its clients and denounced the attack.
The dating site was hacked in July and personal information from its customers was leaked on Monday, including email addresses, credit card numbers and sexual preferences.
But in complaints against the company obtained by the Star using the American Freedom of Information Act, some people said they discovered fake accounts had been created in their names.
The site does not require customers to verify their email addresses, so it is possible to attribute an account to another person’s email address.
“I think if you’re going to take people’s emails, there ought to be some sort of verification process,” said John Simpson, the privacy project director for Consumer Watchdog, an American nonpartisan interest group.
In other cases, customers complained they were charged for sending messages to fake accounts.
The complaints have “not necessarily been verified,” the FTC said in a statement, and all the data obtained by the Star occurred before the initial security breach.
The complainants’ names were redacted in the FTC documents.
“Regardless of the nature of the content, our customers, this company, and its employees are all exercising their legal and individual rights, and all deserve the ability to do so unhindered by outside interference, vigilantism, selective moralizing and judgment. The individual or individuals who are responsible for this straightforward case of theft should be held accountable to the fullest extent of international law,” the company said in a statement.
“As for the operations of Avid Life Media, we continue to devote significant resources to our security protocols and systems and we continue to support our customers around the world.”
Some people complained to the FTC that an account was created for them without their permission. They learned about it when they received emails from Ashley Madison itself. When they tried to delete their accounts, they were asked to pay $19 for a full delete.
“I do not see how they can attempt to charge me to delete a fraudulent account,” wrote one complainant in June 2014.
The paid delete offered by Ashley Madison was cited by the group that has claimed responsibility for the attack as one of the primary reasons for stealing the data. Avid Life Media says it always offered a free option, and the paid delete was only for those who wanted to remove all messages sent to other Ashley Madison members.
“As our customers’ privacy is of the utmost concern to us, we are now offering our full-delete option free to any member,” the company said in a statement.
In Feb. 2011, a father wrote to the FTC to complain that somebody had created a fake account for his 12-year-old daughter.
“I have 80-90 emails (including headers) of men seeking to have an affair with her,” he wrote. “I have no way of knowing what was really shown and posted about her.”
Although the account was removed, the father wrote that Ashley Madison would not tell him how it was created, or by whom.
In another complaint, a woman said she was alerted to the fact that she had an account when a man called her for a date. The account had been set up with her work email, she said, and when he messaged her, he received an out-of-office signature with identifying details, which he used to find her home number.
Because she had been on maternity leave, the woman said she hadn’t checked her email for awhile. When she logged on, she found her account flooded with messages from men wanting to hook up.
“I’m very concerned since I’m currently home with two infants, and now these men in the area have my work information and my personal home information and are soliciting me at my home and place of work,” she wrote to the FTC in January 2009.
“Luckily, my husband is understanding and he trusts that I was not looking to have an affair,” she wrote. “I want to find out who did this, or if it was just a random act from a hacker.”
Others complained fake accounts on the website tricked customers into paying for messages. Although starting a profile on Ashley Madison is free, the site is “pay for play,” meaning that customers pay to send messages to one another and send pictures.
One irate customer complained the company was “astroturfing,” a practice whereby companies hire people to engage in online communities as genuine users. The customer said he kept on receiving “winks” from people he believed were members. When he replied, he was charged for the message. But after this happened several times, he concluded the accounts were likely fake.
“I’m afraid Ashley Madison has been getting away with murder this whole time, due to the fact they know they cater to cheating husbands, and have them between a rock and a hard place. They are worried that if they ruffle feathers, they will be exposed as cheaters,” the customer wrote in September 2010.
Ashley Madison has denied allegations that it uses fake accounts to pad its database in the past.
“There seems to be numerous bogus people to contact and as such, everyone who contacts these bogus profiles will basically be milked $5 at a time,” the customer wrote in Dec. 2009.