Ashley Madison users still reeling from the recent hack that revealed their philandering ways to the world probably assumed things couldn't get much worse. They have. Hacking group CynoSure Prime has uncovered serious flaws in the Ashley Madison password security algorithms that allowed them to crack more than 11 million user passwords.
An analysis of the security flaw on CynoSure Prime's blog shows that Ashley Madison implemented a highly secure means of encrypting passwords (bcrypt) on June 14, 2012. However, they never took the step to migrate accounts created before that date to the new encryption. Instead, those account passwords were encrypted with far less secure MD5 hashing, making hacking those passwords a relatively trivial exercise. By leveraging this flaw, CynoSure Prime claims they were able to successfully crack 11.7 million passwords out of the total list of 36 million accounts.
With this new password revelation, anyone now has the ability to access Ashley Madison accounts and discover the intimate details of that user's activities on the site. And, since many people reuse passwords across various sites—email, bank accounts, social media—those users will now be exposed to identity theft, as well.
This vulnerability only affects accounts created before June 14, 2012. Anyone who created an account before this date should immediately change their password on the Ashley Madison site and on any other sites where you used the same or similar password.
Even without taking advantage of this recent password vulnerability, a significant number of Ashley Madison users are demonstrating very poor password practices. According to CynoSure Prime, 630,000 Ashley Madison accounts use their username as their password. And a review of the top 100 most commonly used passwords, provided to us by CynoSure, shows extensive use of common passwords such as "123456" and the ever popular "password". Not surprisingly, many of the top 100 also fall within the "Not Safe For Work" category.
[Image credit: Upset Young Couple Having Problems via Shutterstock]
Ashley Madison Scam
From Ralph Warren on September 14, 2015 :: 4:49 pm
They were testing to breach credit cards as a scam before they ever invaded Ashley Madison. I got an email today trying to extort monies from me, which is definitely a RUSSION scam. My credit card was rescinded earlier this year when the credit card company found this. I am sure they were TESTING like someone buying at a local Mac’s before doing a big scam.