Cynosure Prime cracks over 11 million Ashley Madison passwords

Ashley Madison, the online-dating site, was hacked in July and users’ personal information was released by the hackers last month. The users were, however, a little relaxed as their passwords were encrypted and would take years to crack.

But in a major twist to the case, a group going by the name “Cynosure Prime” has revealed in a blog post how they have already cracked over 11 million passwords within days.

The passwords were cryptographically protected using bcrypt, a cryptographic hashing algorithm so strong that it would take years for even a highly specialised computer to crack all the passwords.

After reviewing thousands of lines of code leaked along with the hashed passwords, executive e-mails, and other Ashley Madison data, the Cynosure Prime team made an interesting discovery: some of the login tokens used by the website were protected using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers.

All the team had to do then was just brute-force the MD5 tokens of the user accounts, which allowed them to acquire 11.2 Million passwords successfully.

As the weak MD5 hashing algorithm was introduced only June 2012,  the team could’nt crack all of the 37 million Ashley Madison passwords. However, researchers estimated that approximately 15 million Ashley Madison accounts could be affected, out of which 11.2 Million have been already deciphered by the team.