Tech Made Simple

Hot Topics: Enter Our Apple HomePod Mini Giveaway | How to Fix Bluetooth Pairing Problems | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Just When You Thought the Ashley Madison Hack Couldn't Get Worse

by Josh Kirschner on September 14, 2015

Ashley Madison users still reeling from the recent hack that revealed their philandering ways to the world probably assumed things couldn't get much worse. They have. Hacking group CynoSure Prime has uncovered serious flaws in the Ashley Madison password security algorithms that allowed them to crack more than 11 million user passwords.

An analysis of the security flaw on CynoSure Prime's blog shows that Ashley Madison implemented a highly secure means of encrypting passwords (bcrypt) on June 14, 2012. However, they never took the step to migrate accounts created before that date to the new encryption. Instead, those account passwords were encrypted with far less secure MD5 hashing, making hacking those passwords a relatively trivial exercise. By leveraging this flaw, CynoSure Prime claims they were able to successfully crack 11.7 million passwords out of the total list of 36 million accounts.

With this new password revelation, anyone now has the ability to access Ashley Madison accounts and discover the intimate details of that user's activities on the site. And, since many people reuse passwords across various sites—email, bank accounts, social media—those users will now be exposed to identity theft, as well.

This vulnerability only affects accounts created before June 14, 2012. Anyone who created an account before this date should immediately change their password on the Ashley Madison site and on any other sites where you used the same or similar password.

Even without taking advantage of this recent password vulnerability, a significant number of Ashley Madison users are demonstrating very poor password practices. According to CynoSure Prime, 630,000 Ashley Madison accounts use their username as their password. And a review of the top 100 most commonly used passwords, provided to us by CynoSure, shows extensive use of common passwords such as "123456" and the ever popular "password". Not surprisingly, many of the top 100 also fall within the "Not Safe For Work" category.

[Image credit: Upset Young Couple Having Problems via Shutterstock]


Topics

Privacy, News, Computers and Software, Family and Parenting, Blog


Discussion loading

gravatar

From Ralph Warren on September 14, 2015 :: 4:49 pm


They were testing to breach credit cards as a scam before they ever invaded Ashley Madison. I got an email today trying to extort monies from me, which is definitely a RUSSION scam.  My credit card was rescinded earlier this year when the credit card company found this.  I am sure they were TESTING like someone buying at a local Mac’s before doing a big scam.

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.