A group of crackers known as CynoSure Prime claim to have cracked millions of leaked Ashley Madison passwords after the group’s analysis unveiled a flaw in the encryption which has reportedly allowed them to unmask 11 million passwords thus far, Ars Technica‘s Dan Goodin reported on Thursday.
The Ashley Madison hackers, who are presently unidentified, released a nearly 100 gigabyte trove of data stolen from the adult website for cheaters. It was from this trove of hacked data that the hobbyist-crackers CynoSure Prime derived the hashed passwords which were allegedly encrypted with bcrypt. However, as it turns out, the 16 crypto-enthusiasts discovered a flaw in the implementation of the cryptographic function which has proven exploitable.
The problem, according to the researchers, resides in the cheating website’s use of the $loginkey MD5 variable. Unlike bcrypt, the MD5 hashing algorithm is insecure, which is why the crackers decided to focus their efforts on the MD5 tokens instead of the bcrypt hashes, The Register reported.
Goodin quoted the group of crackers as having stated in a Thursday morning blog post that not one, but “two insecure methods of $loginkey generation observed in two different functions” were observed resulted in “enormous speed boosts” to their cracking efforts.
Through the two insecure methods of $logkinkey generation observed in two different functions, we were able to gain enormous speed boosts in cracking the bcrypt hashed passwords (…) Instead of cracking the slow bcrypt$12$ hashes which is the hot topic at the moment, we took a more efficient approach and simply attacked the MD5 … tokens instead.
In order to protect end users, the team of crackers behind the breakthrough has indicated that it is not releasing any of the plaintext passwords recovered. But on the other hand, the group has decided to disclose all of the information necessary in order for others to replicate their recovery efforts.
Antivirus company Avast has also taken a stab at cracking the dumped passwords, as their previously reported findings indicated that the cheating website’s users weren’t always the most security minded individuals when it came to selecting their passwords. Having ranked the most commonly used bad passwords in order of frequency, with the most used at the top of the list, the company’s research indicates that “123456” and “password” were the first and second most common passwords used.