The Ashley Madison saga still continues. Months ago, a group of hackers released the data of the Canada-based cheating website, but the passwords could not be hacked as they used a bcrypt algorithm. But now, according to NYC Today, CynoSure Prime, a group of "technology oriented individuals," says that they've cracked the passwords of the 11 million Ashley Madison users.
According to the news outlet, Ashley Madison utilized a "strong bcrypt algorithm with 4,096 rounds of extremely strong hash function, considered very difficult to decrypt."
A report from The Hoop News says security research group CynoSure Prime succeeded encrypting around 16 million passwords from the 32 million hacked accounts, disclosing 11,542,930 user passwords.
In a blog post from CynoSure Prime, the group revealed how they made a "different approach" in attempting to crack the bcrypt hashes and succeeded.
The group wrote, "Without much information about the $loginkey variable and how it was generated, we decided to dive into the second leak of git dumps. We identified two functions of interest and upon closer inspection, discovered that we could exploit these functions as helpers in accelerating the cracking of the bcrypt hashes."
"Through the two insecure methods of $logkinkey generation observed in two different functions, we were able to gain enormous speed boosts in cracking the bcrypt hashed passwords. Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the md5(lc($username).”::”.lc($pass)) and md5(lc($username).”::”.lc($pass).”:”.lc($email).”:73@^bhhs&#@&^@8@*$”) tokens instead. Having cracked the token, we simply then had to case correct it against its bcrypt counterpart," CynoSure Prime added.
They also noted that the "$loginkey variable" was used for logging in the site automatically, and was "generated upon user account creation and was re-generated when the user modified their account details including username, password and email address."
NYC Today reports that Ashley Madison has expressed its apologies for the hacking incident. The company is currently facing a multitude of lawsuits from Canada and the U.S. after failing to secure the data of its members. Last month, Ashley Madison's CEO, Noel Biderman, also stepped down because of the massive data leak, as per a previous report from Latinos Post.
The Hoops News further notes that passwords do not guarantee privacy, saying, "Websites should use strong encryption algorithms to secure their users’ private information. But on second thoughts, all websites cannot be trusted completely. Hence, the onus eventually falls on the users. They should also not use the same passwords for all accounts on all websites. Hacking of one website might lead to accounts on various other sites across the web being comprised. Indeed, a unique password is better than a strong one."