By Jim Armstrong, WBZ-TV

BOSTON (CBS) – For a website like that prides itself on secrecy and anonymity, a breach like this can be catastrophic. The site’s subscribers pay to have access to other married people looking to have affairs. They all, presumably, felt that their private information was safe.

“The quick answer is: not that safe,” says Dr. Michael Sulmeyer, the director of the Cyber Security Initiative at Harvard’s John F. Kennedy School of Government’s Belfer Center.

READ MORE: "Time for the village to step up": Volunteers help ease nationwide baby formula shortage

He says Ashley Madison’s clients know now the truth of the web: everything is hackable.

“Largely, you should not have an expectation of ultimate security and privacy,” Sulmeyer explains. “And operate with the understanding that things can go wrong despite all promises to the contrary.”

The group believed to be responsible for the hack claims to have stolen private information from all 37 million Ashley Madison users. On Tuesday the personal details of two subscribers leaked. One man is from Canada – the other from Brockton.

READ MORE: Video: Likely tornado spotted in Charlestown, New Hampshire

What was revealed is intensely personal. Among the data released about the Brockton client of Ashley Madison: His user ID is “Heavy73”; he listed himself as “married/attached”; he joined the site the day after Valentine’s Day, 2014; he likes “cuddling & hugging” and is into “discretion & secrecy”.

Sulmeyer says highly motivated hackers can be determined to get into sites like this, looking for intimate even embarrassing details.

On any such site, he says, users can and should change their passwords often.

“Even with that you should not believe that you have total privacy. And if you are really one who wants total privacy then you should not probably be getting on websites like this,” Sulmeyer says.

MORE NEWS: Bail hearing postponed for Nathan Carman, charged in mom's death at sea

The hackers are demanding that the whole website be taken down or else they will release all the names and private data they have.