Researchers Crack 11 Million Ashley Madison PasswordsBreached Dating Site Committed Massive Security Errors, Expert Says
Breached pro-infidelity online dating service Ashley Madison has earned information security plaudits for storing its passwords securely. Of course, that was of little comfort to the estimated 36 million members whose participation in the site was revealed after hackers breached the firm's systems and leaked customer data, including partial credit card numbers, billing addresses and even GPS coordinates (see Ashley Madison Breach: 6 Essential Lessons).
Unlike so many breached organizations, however, many security experts noted that Ashley Madison at least appeared to have gotten its password security right by selecting the purpose-built bcrypt password hash algorithm. That meant Ashley Madison users who reused the same password on other sites would at least not face the risk that attackers could use stolen passwords to access users' accounts on other sites.
But there's just one problem: The online dating service was also storing some passwords using an insecure implementation of the MD5 cryptographic hash function, says a password-cracking group called CynoSure Prime.
As with bcrypt, using MD5 can make it nearly impossible for information that has been passed through the hashing algorithm - thus generating a unique hash - to be cracked. But CynoSure Prime claims that because Ashley Madison insecurely generated many MD5 hashes, and included passwords in the hashes, the group was able to crack the passwords after just a few days of effort - including verifying the passwords recovered from MD5 hashes against their bcrypt hashes.
In a Sept. 10 blog post, the group claims: "Our team has successfully cracked over 11.2 million of the bcrypt hashes."
One CynoSure Prime member - who asked to not be identified, saying the password cracking was a team effort - tells Information Security Media Group that in addition to the 11.2 million cracked hashes, there are about 4 million other hashes, and thus passwords, that can be cracked using the MD5-targeting techniques. "There are 36 million [accounts] in total; only 15 million out of the 36 million are susceptible to our discoveries," the team member says.
Coding Errors Spotted
The password-cracking group says it identified how the 15 million passwords could be recovered because Ashley Madison's attacker or attackers - calling themselves the "Impact Team" - released not just customer data, but also dozens of the dating site's individual source code repositories, which were created using the Git revision-control system.
"We decided to dive into the second leak of Git dumps," CynoSure Prime says in its blog post. "We identified two functions of interest and upon closer inspection, discovered that we could exploit these functions as helpers in accelerating the cracking of the bcrypt hashes." For example, the group reports that the software running the dating site, until June 2012, created a "$loginkey" token - these were also included in the Impact Team's data dumps - for each user's account by hashing the lowercased username and password, using MD5, and that these hashes were easy to crack. The insecure approach persisted until June 2012, when Ashley Madison's developers changed the code, according to the leaked Git repository.
As a result of the MD5 errors, the password-cracking team says that it was able to create code that parses the leaked $loginkey data to recover users' plaintext passwords. "Our techniques only work against accounts which were either modified or created prior to June 2012," the CynoSure Prime team member says.
CynoSure Prime says that the insecure MD5 practices that it spotted were eliminated by Ashley Madison's developers in June 2012. But CynoSure Prime says that the dating site then failed to regenerate all of the insecurely generated $loginkey tokens, thus allowing their cracking techniques to work. "We were definitely surprised that $loginkey was not regenerated," the CynoSure Prime team member says.
Toronto-based Ashley Madison's parent company, Avid Life Media, did not immediately respond to a request for comment on the CynoSure Prime report.
Coding Flaws: "Massive Oversight"
Australian data security expert Troy Hunt, who runs "Have I Been Pwned?" - a free service that alerts people when their email addresses show up in public data dumps - tells Information Security Media Group that Ashley Madison's apparent failure to regenerate the tokens was a major error, because it has allowed plaintext passwords to be recovered. "It's a massive oversight by the developers; the whole point of bcrypt is to work on the assumption the hashes will be exposed, and they've entirely undermined that premise in the implementation that's been disclosed today," he says.
The ability to crack 15 million Ashley Madison users' passwords means those users are now at risk if they have reused the passwords on any other sites. "It just rubs more salt into the wounds of the victims, now they've got to seriously worry about their other accounts being compromised too," Hunt says.
Feel sorry for the Ashley Madison victims; as if it wasn't bad enough already, now tens of thousands of other accounts will be compromised.ï¿½ Troy Hunt (@troyhunt) September 10, 2015
Jens "Atom" Steube, the developer behind Hashcat - a password cracking tool - says that based on CynoPrime's research, up to 95 percent of the 15 million insecurely generated MD5 hashes can now be easily cracked.
Nice work @CynoPrime !! I was thinking about adding support for those MD5 hashes to oclHashcat, after that I think we could crack up to 95%ï¿½ hashcat (@hashcat) September 10, 2015
CynoSure Prime has not released the passwords that it has recovered, but it published the techniques employed, meaning that other researchers can also now potentially recover millions of Ashley Madison passwords.