CynoSure Prime, a group of “technology oriented individuals” have announced that they have cracked the passwords of 11 million Ashley Madison users, and they won’t release the passwords online. CynoSure Prime said that the website left a security loophole, to increase the speed of access to the website.
A few months back, a group of hackers released data of the Canada-based cheating website, but its passwords could not be hacked till now. Though the company said it has used a strong bcrypt algorithm with 4,096 rounds of hash function, CynoSure Prime claimed that it identified a weakness in the code, after analyzing thousands of lines of code. The group used brute force to crack the database, and confirmed that they have tested the passwords. Since, the data leak, many individuals and groups have been trying to crack the passwords.
“We decided to take a different approach and made some interesting discoveries,” said CynoSure Prime in a blog post.
CryoSure Prime wrote that without much information about the $loginkey variable and how it was generated, we decided to dive into the second leak of git dumps. The group identified two functions of interest and upon closer inspection, discovered that we could exploit these functions as helpers in accelerating the cracking of bcrypt hashes. The company is facing a barrage of lawsuits from Canada and the U.S as it failed to protect user data. Ashley Madison’s CEO Noel Biderman stepped down due to the hacking incident.
Despite, the massive data leak, the company claimed that it is receiving user attention, and even witnessing strong new user signups. According to The Hoops News, all websites cannot be trusted completely and the onus eventually is on users. They should regularly change their passwords, and should not use the same password on different websites.[ Source ]