Millions of Ashley Madison passwords cracked

The fallout from the Ashley Madison hack continues. After the passwords of millions of users were stolen in a huge security breach, the encrypted database has now been cracked. A cracking group called CynoSure Prime eschewed a time-consuming brute force approach to breaking into the database, and instead exploited information revealed by a change the infidelity site made to the way it stored data.

This change effectively rendered pointless the bcrypt encryption that had been used to protect data. It was possible to dramatically speed up the cracking process so data was accessible in a matter of days rather than years. So should users of Ashley Madison be worried?

Although CynoSure Prime has said that it will not be releasing the passwords and account details that it managed to gain access to, the detailed instructions the group has published means that it would be fairly simple for another group to replicate the work. Keep in mind that many people use the same login credentials for a number of sites and services, and the ramifications of leaking millions of passwords are huge.

In a blog post, the cracking group goes into some detail explaining how it managed to gain access to the encrypted passwords, but starts off with a quick overview:

Not long after the release of the Ashley Madison leaks, many groups and individuals attempted to crack the bcrypt hashes. Since the developers used a cost factor of 12 for the bcrypt hash, this made the process an extremely compute intensive task. We decided to take a different approach and made some rather interesting discoveries.

Without much information about the $loginkey variable and how it was generated, we decided to dive into the second leak of git dumps. We identified two functions of interest and upon closer inspection, discovered that we could exploit these functions as helpers in accelerating the cracking of the bcrypt hashes.

For those without knowledge of database encryption, it might be difficult to make sense of the more detailed description provided by CynoSure Prime, but over on ArsTechnica, Dan Goodwin does an excellent job of explaining things:

The source code led to an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers.

It seems that coders for Ashely Madison took steps to try to speed up the site and login process for users, but this decision turned out to be a massive security risk.

Photo credit: Maksim Kabakou / Shutterstock