The owner of hacked infidelity website Ashley Madison will pay US$1.66 million (A$2.2 million) to settle an investigation by the US Federal Trade Commission and several US states into lax data security and deceptive practices.
The remainder of a US$17.5 million (A$24 million) settlement was suspended based on privately-held Ruby Corp's inability to pay, the office of New York attorney general Eric T. Schneiderman said in a statement.
The company first disclosed it was the target of an FTC investigation in July.
The agreement follows investigations by the FTC, 13 states and the District of Columbia, which found the company had lax security practices in place at the time of the July 2015 breach, which exposed the personal details of millions of people who signed up for the site.
The Federal Trade Commission, which was lead on the case, said the company failed to protect 36 million user accounts while advertising that the cheating site was secure.
"This case represents one of the largest data breaches that the FTC has investigated to date," FTC chairwoman Edith Ramirez said.
"The global settlement requires AshleyMadison.com to implement a range of more robust data security practices that will better protect its users' personal information from criminal hackers."
The investigation also found that Ruby, as the company previously known as Avid Life Media has rebranded itself, created fake female profiles to lure men into paying for conversations and retained user information even after customers had paid for a service to "remove all traces of your usage."
A spokeswoman said Ruby, which neither admitted nor denied the allegations, has committed to maintain a comprehensive information security program and not repeat prior, potentially misleading, practices.
The company has offered a free delete function since September 2015, when it discontinued the paid feature.
A prior joint investigation by privacy commissioners in Canada and Australia said Ashley Madison had violated the privacy laws of both countries.
Avid shut down the fake profiles in the United States, Canada and Australia in 2014 and by late 2015 in the rest of the world, but some US users had message exchanges with foreign fembots until late in 2015, according to an Ernst & Young report commissioned by the company.