If you thought the heartbreak was over for users of hacked extramarital affairs site Ashley Madison, you could be wrong. This morning, researchers announced that they have cracked over 11.2 million user passwords released by hackers last month, which were previously considered to be fairly secure.
"Not long after the release of the Ashley Madison leaks, many groups and individuals attempted to crack the bcrypt hashes," the password cracking group, which calls itself CynoSure Prime, wrote in a blog post early Thursday. Bcrypt is the hashing algorithm used to protect the passwords of Ashley Madison users, and is stronger than some more common variants.
Researchers have previously managed to crack a small number of the passwords, but only because they were exceptionally weak in the first place.
But the crackers from CynoSure Prime found another weakness. In the second dump of Ashley Madison data, which included product and site source code, they found that some of the login tokens were handled using MD5, a notoriously weak hashing algorithm.
"Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the md5 […] tokens instead," CynoSure Prime writes. The result wasn't necessarily the complete password: the output was all in lower case, meaning that the researchers had to then check if any of the letters of the password were supposed to be uppercase. Apparently they were successful.
Users who haven't already changed their password should seriously reconsider.
Not all passwords linked to Ashley Madison's 37 million accounts are easier to crack, as researchers found that the weak MD5 hash was only introduced on 14 June 2012. An Ars Technica report suggests that over 15 million accounts could be affected.
It's not totally clear why some passwords were stored in this fashion, although the researchers speculate that, "The $loginkey variable seemed to be used for automatic login, but we didn't spend much time investigating further." They say this because the variable was created when a user made an account, and was modified when the user changed their username, password, or email address.
Naturally, this means that any Ashley Madison users who haven't already changed their password—perhaps because they didn't feel the need to with the strong protections of bcrypt—should seriously reconsider.
If a customer has used the same login details on another service, such as their email or eBay account, hackers could try to break into that account using the now-cracked Ashley Madison password, along with the other dumped personal information such as their email address.
Avid Life Media, the parent company of Ashley Madison, is already facing several class action lawsuits for negligently handling customer data. Ars Technica described this newly revealed programming flaw made by Ashley Madison as an "epic mistake."