Flash Flood Watch issued July 21 at 2:52AM MDT expiring July 22 at 12:00AM MDT in effect for: Archuleta, Delta, Dolores, Eagle, Garfield, Gunnison, Hinsdale, La Plata, Mesa, Moffat, Montezuma, Montrose, Ouray, Pitkin, Rio Blanco, Routt, San Juan, San Miguel
DENVER - When you use the Ashley Madison website to cheat on your spouse, that’s your business, but when the logins are based on city, state and school district email addresses, it becomes our business.
Hackers stole data from the Ashley Madison website and threatened to reveal personal user information if the company did not shut down the site. Those hackers released the information of 32 million users earlier in the week.
Metropolitan State University Computer Science Professor Steve Beaty scoured the data and found accounts created with email addresses ending in “co.us,” meaning they were emails issued by Colorado taxpayer-funded entities.
“The largest number were from the generic ‘state.co.us,’,” said Beaty. “Number two was the Jefferson County School District,” he added.
In a review of the data that dates back seven years, Beaty found 10 email addresses connected to “state.co.us,” which could be any state employee. There were also other state suffixes, such as “dot.state.co.us” –- which refers to an old Department of Transportation address, and “doc.state.co.us” -- which refers to an old Department of Corrections email address.
After reviewing the data more closely, we found "cherrycreekschools.org" was referenced in 11 email logins. There were also multiple school districts including Aurora, Alamosa and La Junta.
‘The interesting thing about the Colorado ones, to me, is that people shouldn’t be spending state dollars on personal business,” said Beaty. “I guess I would be somewhat less concerned if they were using it from home -- using their state email address -- than if they were sitting at their desk that I bought and using the computer that I bought, that we all bought.”
Just because a state-issued email address was used to login, does not prove the site was ever visited using state equipment. However, the data did include user login times and IP addresses.
“It is a concern that the state might not be monitoring to the degree that they are capable of, what their employees are doing on their networks,” said Beaty. “I’m more concerned with what happens next. What does the state do to address our concerns as taxpayers?” What do we do, as a society, for the people whose names are on these lists?”
Beaty also said there were 12,000 ‘.mil’ addresses, meaning they are linked to military email addresses.
“First name, last name, street address, city, zip. We have their latitude and longitude, especially if they’ve used the app on their phone,” said Beaty. “There’s much more interesting things to blackmail the military out of than there is the typical person.”
And Beaty is concerned this data will be used to blackmail people, even though there’s no hiding the information that is now out in the public.
“People should be on their guard for emails that will say, ‘send us $50 and we will take you out of the databases,’ said Beaty. “This is an invasion of privacy in my opinion. This is what we call, 'Hacktivism'.”
To see if your email address login information has ever been compromised in a hack, you can visit this site and type in your email address and see if it’s been compromised. If you go to the site to check your email against the Ashley Madison hack, it will require you to verify your email address, so that you’re not searching anyone else’s email on Ashley Madison.