A group of hackers, named CynoSure Prime, revealed more than 11 million of the 36 million users registered on the cheating website Ashley Madison. However, researchers from the website thought it would take centuries before someone were able to crack the data.

According to the team of hackers, the site’s password protections had several programming flaws that allowed them to crack the system, even though the site’s security experts protected user’s passwords with strong cryptography. Up to 11,542,930 passwords have been cracked in eleven days and they still have 3,720,051 tokens left to go.

CynoSure Prime describe themselves as a ‘Password cracking collective’. Image: kelfecil.com

How did they make it?

In software development, obfuscation is the deliberate act of creating “blurred” codes, which are difficult for humans to decode. Hashing, the obfuscation technique used by the cheating website’s programmers, consists of transforming a string of characters into a usually shorter fixed-length value or key that represents the original string.

The programmers used a hashing algorithm called “bcrypt” which apparently made the information difficult to crack. But the team of hackers was very suspicious about its safeness. “We wondered if it had always been this way,” the Cynosure team wrote in its blog post.

After inspecting the computer instructions, the team discovered than more than 15 million Ashley Madison passwords were secured by another hashing algorithm, MD5, which was less safe than the first one. According to the team, the website changed from the MD5 to the bcrypt algorithm on June 14, 2012. “This meant that we could crack accounts created prior to this date.”

While the reasons why Ashley Madison’s programmers had to make the changes are not clear, some think they made it so users could quickly log in to the site.

The methodology the hackers went through to crack the system is explained and detailed in its blog for other people to replicate the results.

No morals and no awareness

Ashley Madison is a website that encourages married users to cheat on their spouses. It charges users a £15 fee to carry out a full delete of their information, although the hackers claimed that they actually do not do that.

Consequently, the group decided to hack the service. After the data were public, users from all over the world started filing multi-million dollar lawsuits against the site.

What it is also disappointing is that users continue to not pay attention to the recommendations made by many pages when choosing their passwords. The hackers revealed the top 100 choices users of Ashley Madison’s site picked. Among the top of them, there are passwords like: 123456, 12345, password, DEFAULT, 123456789, 12345678, abc123.

Source: CynoSure Prime