The bad news just keeps coming for Ashley Madison users -- now a new report indicates encryption methods were just plain bad at the site.
For the men who had their passwords on AshleyMadison.com cracked by a research group recently, you can rest easy: CynoSure Prime won’t be releasing them. But perhaps even more alarming is just how easily they did it.
The first breach of Ashley Madison happened back in August when loads of user data was released, embarrassingly revealing that virtually all of the users were men and many of the relatively few female accounts were actually most likely fake. But many thought at least the passwords were stored in a secure way. However, CynoSure Prime’s recent hack proves that’s not the case, according to a Slate report.
The team posted an explanation of how it decrypted 11.2 million of 36 million leaked passwords, and the results were interesting. They didn’t use a brute force approach, which would have taken years, so they looked around for loopholes in the source code of the site.
They found that Ashley Madison had hashed and stored many of its passwords with the bcrypt encryption utility, but 15.26 million passwords — nearly half of them — were hashed with a convenient but more crackable MD5 algorithm. In other words, the site just got lazy with security, it appears.
The researchers took the efficient approach of attacking the MD5 tokens, and it was a resounding success for them: they were able to crack 11.2 million passwords, and they believe they coul get the rest of them too.
Essentially, Ashley Madison appears to have taken a shortcut to make it easier to deal with its massive library of passwords, but in order to do that they had to sacrifice security. The CynoSure Prime team was able to crack the passwords in a matter of days.