In a significant development with the Ashley Madison breach saga, a Californian password cracking hobbyist group have already deciphered 11 million ‘unbreakable’ passwords in a week’s time, due to programming errors by Ashley Madison.
In what could lead to a fallout of widespread hacking of all Ashley Madison users who use the same password for other online accounts and services, a password cracking group has uncovered 15 million of the 36 million passwords leaked during the breach to be crackable. Programming errors are the reason for the significant vulnerability, reports ThreatPost.
What was one deemed as ‘bulletproof’, Ashley Madison user passwords were cryptographically protected by ‘bcrypt’ – an algorithm that is notoriously slow and demanding of massive computing resources that it would take centuries to crack 36 million passwords from the breached data.
Related Article: Online Dating Site Ashley Madison Hacked
However, a group of San Diego based crackers have discovered significant programming flaws that render more than 15 million of the 36 million passwords easy to crack.
The vulnerability comes from an error when the plaintext account password is sent through MD5 with the variable $loginkey. The variable may have been set up to help users with automatic login, speculate the password cracking group.
These blunders are so significant that the password cracking group have successfully deciphered over 11 million passwords in a little over a week. The group estimates the remaining 4 million passwords to be cracked in the coming week.
The Password Cracking Outfit
CynoSure Prime, a group of hobbyist password crackers, made an announcement on Thursday morning via a tweet that it had found new weaknesses in ‘tokens’ found in the second round of dumps of the breached data.
They discovered a cache of 15.26 million logic tokens hashed with MD5, an algorithm notoriously vulnerable to multiple cryptographic weaknesses and chose to target those.
“Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the MD5 […] tokens instead.
“Having cracked the token, we simply then had to case correct it against its bcrypt counterpart,” the crackers blogged.
To safeguard the interests and privacy of end-users, the cracking team isn’t releasing any of the plaintext passwords.
A comprehensive account of the cracking methods used by CynoSure can be found here.