A cracking team called Cynosure Prime has deciphered over 11.2 million passwords from the recent Ashley Madison hack in just 10 days, thanks to a programming blunder that made the task surprisingly easy.
After the hackers publicly leaked mountains of documents, emails and data including roughly 37 million users’ details, Cynosure Prime sifted through the site’s source code and found 15.26 million passwords that were secured using MD5, a hashing algorithm that’s faster than others like bcrypt, but far less effective.
One of the group’s members estimates that the blunder made by Ashley Madison’s security team allowed them to crack these passwords about a million times faster than if they attempted to decipher the bcrypt hashes.
In order to protect end users, Cynosure Prime isn’t releasing the passwords it’s cracked. However, it’s detailed all the steps necessary to replicate the passcode recovery.
That doesn’t mean just about anyone can try it at home. You’ll still need plenty of computing power and specialized software to crack the passwords yourself.
The group’s efforts and discoveries underline the need for Web-based businesses to implement sophisticated security measures that go beyond protecting their servers from attacks.