It was the 20th of August when I downloaded the hacked Ashley Madison database. It wasn't long before I found an account that seemed to belong to Hamza Andreas Tzortzis. I contacted the email address registered against the account, sending my name + mobile number and asked the owner to call me, but received no reply.
The next day (Friday) I emailed Hamza on his iERA email address and informed him of what I had found. From the very start Hamza wouldn't believe me. He insisted I was playing a joke on him, and only started to take me seriously once I had revealed the last four digits of his credit card. From the outset Hamza has denied responsibility for signing up this account, and from the beginning I have told him I do not believe him but would continue to look at the data to see what I could find out. I suggested he should make a public statement explaining what I had found before someone else finds the same information and exposes him. From there a lot has been reported by the press, some of which I found a little misleading, and so I have decided to write this blog explaining what is and is not known about the whole affair.
Credit card informationThe person who opened the account used a credit card registered to Andreas Tzortzis. To achieve this they would need to know his real name (readily available), home address (readily available at CompaniesHouse), his full credit card number, card expiry date, and the 3 digit security number on the back of the card. In addition to this it is possible the card issuer would have demanded confirmation this was not fraud by requesting the user enter Hamza's online banking password; this is a pretty standard security feature when using your card in an unexpected way or from an unusual location (the transaction was executed from Australia).
The first payment of £54 was issued to the site on the 22nd of October 2014. This would have been the initial membership fee. There were eight subsequence charges for £15 each taken on approximately the same date of each subsequent month, totalling £174 over 9 months.
From this payment information it is possible to assertain the following additional information. 1] The membership number of the account (99904794). 2] The email address used to sign up to the site (A_Tzortzis@yahoo.com). 3] The IP address from which the payment was made (22.214.171.124).
Again, the email address is public information. It is possible that Hamza doesn't check this email address often (or at all), it is very likely an old email address as it does not include any indication of his chosen Muslim name "Hamza". However, Hamza certainly has used this email address since becoming a Muslim, for example, a quick Google search reveals content associated with this address from around 2008...but (it seems) nothing recently.
The interesting data here is the IP address. A quick IP -> Geo Location lookup shows it is in Australia. Hamza's public statement on FaceBook (now deleted) stated that £54 had been charged to his card while he was in Australia, and concluded that is where the account was opened from. The server time given for the account creation is 10:09 am, and the last time the account was modified was the same day at 11:43 am. As I don't know the time zone of the server I cannot check what time it would have been in Australia. This information could prove useful if anyone can answer.
The profile(Table name: am_am_member)
The profile for 99904794 lists the area in which the account owner can be found for sex as London N16 7TN. The map co-ordinates are 51.5543658, -0.073289 which, according to Google Maps, is Somerford Grove, London, N16 7TN. A check on the free electoral role website reveals Hamza's parents live on that street.
The profile lists Hamza's correct date of birth (21st of September 1980) but again this information is readily available. The profile caption read "Compassionate male seeks friendship" and the summary "I long for a sincere friendship with the ability to connect physically and mentally. I would consider myself compassionate, and someone who thinks a lot.". The profile lists Hamza as weighing 88452 grammes (13st 13lbs or 195lb) which I cannot verify. It lists his height as 178cm (5' 10"), which again I cannot verify but seems about right.
(Table name: aminno_member)
Searching by signup date, signup IP there is a single row matching the account information above. This reveals a profile number of 29425606. The alias for the website is set to AndrewT14, most likely a play on Andreas T, but I don't know for certain what the 14 represents. The date of birth is the same in this table too, as expected. At the time of the hack this profile had no public photos and no private photos associated with it, so a subsequent release of hacked photos will probably not reveal anything (unless some were uploaded then removed, and the server does not physically delete the image files).
There are some dates indicating the last time certain events occurred that are empty, suggesting the account was not used to email anyone and the user didn't chat with anyone.
Mailing options & user activity(Table name: amminno_member_email - I will use Y/N instead of 1/0 as per the data)
email@example.com, isvalid=Y, optin=Y, notify_newmail=Y, notify_newmember=Y, notify_login=Y, notify_offer=Y
From the developer comments associated with each of these fields it would seem that an email would be sent if there was a special offer, if contacted by another user, or if someone in the account owner's favourites list logged into the website. I cannot say whether any special offers were emailed out to accounts already paid in full or not, or if anyone nearby matching the criteria had signed up resulting in an email being sent, but if the system was working correctly and the dates in aminno_member were being updated then the data suggests no contact was made with anyone as there are no valid date/times set against the fields bc_mail_last_time, bc_chat_last_time, or reply_mail_last_time.
ObservationsFor this account to have been set up by anyone other than Andreas (Hamza) the account creator would need access to some publicly available information (date of birth, address etc). They would need to put in extra work to find his parent's address. My intuition says a frauster would use the same address that had already been entered during the billing stage. To use an address 1 hour drive away from Andreas's home suggests the account creator was trying to disassociate the account from him rather than bring attention to it. A malicious person probably would be more likely to use account details easily associated with Andreas so that the profile would be discovered. The same goes for the profile name, similar enough to his real name for Andreas to remember, but dissimilar enough to not associate it with him directly. Obviously there was no way this person knew the AshleyMadison.com database would be made public, so it is reasonable to assume this is information hiding rather than exposure.
This person would also require full access to information on both sides of his credit card (16 digit number, expiry date, 3 digit security code on the back) and to have been in Australia at the same time as Andreas in order to sign him up and make it look like he had done it himself.
They would really have had to have done some research to get his weight and height correct, or approximately correct. This high level of detail seems to have the purpose of accurately portraying one's self to attract a partner rather than to mislead the public into identifying Andreas as the account holder.
I can easily accept that Andreas's Yahoo email account is not checked any more. I can confirm that my attempt to contact Andreas via that email address was not successful, whereas an email to his iera account the next day received an immediate response. I have old email accounts I can no longer even access. I can also accept he did not notice the payments coming out of his account via his card. Personally I never check my card statements, I don't even look at my bank statements to see how much is being paid to my card account.
ClarificationsThe website does not require you to click a confirm link in an email in order to get into the website. I have tried it myself, my profile name is DirtyJanet if you'd like to look me up ;-)
The flag in the database "isvalid" marked against an email address is stored against the user's emailing preferences. In my experience, flags to indicate the user has confirmed their email address via an email link are typically stored against an account table with a name like "Verified", and not in an email campaign preferences table as found in this database. The presence of a 1 (yes) against this flag on this account does not suggest a link in an email was clicked to activate the account.
An email address can be considered "valid" if it meets the Internet standard on structure. ThisEmailDoesNot@ExistInRealLifeBecauseIJustMadeItUp.com is a valid email address, it just doesn't exist. It isn't uncommon for email campaign scripts to assume an email address is valid and exists and then mark it as defunct when "does not exist" email responses come back.
To me the idea this flag is an email-bounce flag is the most plausible. If the flag were set to zero by default and only marked 1 when the user followed a link in an email then the system would have to send emails to people with emails marked as isvalid=0 in order for them to become marked as valid. I hope you'll agree, sending emails to people with addresses marked as invalid makes the whole purpose of the flag redundant. The expert in this article might be an expert in data analysis but that doesn't make him an expert on the writing of software. I've been employed writing business software for about 19 years now, and I disagree.
This isn't an important point in so far as Andreas not seeing emails to an old account, but I think it is beyond doubt that it has been demonstrated the person signing up did not also require access to the yahoo.com email account.
UPDATE (27 Aug 2015): I am currently looking at the schema and can confirm the default value for isvalid is in fact a 1, so my original conclusion was correct.
UPDATE (31 Mar 2016): After the libellous statements made against me by Dawah Man on Facebook regarding this issue I decided to re-read this article through. Regarding the information used from Andreas's credit card: obviously this would be very difficult for someone to obtain, unless of course it was a company credit card in his name, in which case a small number of people within iERA could have had access to that information. This would mean that it is possible someone who works for iERA, accompanied Hamza to Australia, and stayed in the same hotel chain could be responsible.
The third hypothesisI find it a little annoying that the alternative to Andreas signing up is presented as someone else doing it and then hacking the website to expose him, and nothing else is considered. It would be possible that someone would sign up an account not identifiable as Andreas in the hope that at some point in the future the monthly £15 debit would be spotted by his wife and cause suspicions that could damage his marriage. Meaning that the hack was unexpected, and the only reason we got to find out about it. I don't subscribe to this hypothesis at all, I just wanted to put forward a more balanced article and point out the stupidity of some scenarios being proposed as the only alternative.
ConclusionI strongly suspect that while in Australia Andreas decided to have a look around on the web and found this website. He signed up using an old email address he knew wouldn't be checked, entered his credit card details, and then spent the next 94 minutes looking around the website before giving up. He probably then forgot all about it and, because he doesn't check his old email or his card statements, had no idea this website was still taking £15 per month off him for a service he wasn't using.
The profile on the site is now marked as Unavailable. If there is a flag in the database indicating this state then it will be possible to determine whether it was hidden after the exposure or before. If before then it supports the above hypothesis that the account was only used for 93 minutes (assuming that hiding a profile will update the column in the DB recording when the profile was last updated). Frankly, I've had enough of looking through the DB so that can be an exercise for someone else.
I expect at some point he will give up the excuse he came up with while panicking and confess that he looked but did not touch, and then never went back. I seriously doubt this will hurt his career, only Allah can judge him after all, and it's not as if it is an offence that carries a death sentence.