Andrea Danti - Fotolia

Ashley Madison data breach escalates with password encryption failure

At least 15 million improperly encrypted Ashley Madison passwords are reported crackable, with enormous implications for members and their employers

The leaking of the personal details of around 32 million members of cheating site Ashley Madison was bad, but just got a great deal worse as members' encrypted passwords proved to be crackable.

Hackers – who call themselves The Impact Team – published the data after Ashley Madison parent company Avid Life Media failed to give in to their demands to take down cheating site Ashley Madison and dating site Established Men.

The one consolation for Ashley Madison members, including more than a million in the UK, was that the passwords were encrypted.

But, it appears Ashley Madison has failed them yet again – with programming errors and shortcuts that have made at least 15 million improperly encrypted passwords crackable, reports Ars Techica.

Done properly, it would have taken years to crack each password and several lifetimes to crack all of them, but a group of hobbyists has reportedly managed to crack 15 million in just 10 days.

The cracking team – which calls itself CynoSure Prime – identified the weakness in the encryption after reviewing code leaked along with the password, publishing the details in a blog post.

Password duplication

Recent research revealed that 56% of office workers use the same passwords for personal and corporate accounts, and rely on an average of just three different passwords.

The fact that Ashley Madison’s passwords are crackable could have enormous implications for its members and their employers.

This is especially worrying because those affected by one of the world’s largest data breaches to date reportedly include UK civil servants, US officials, members of the US armed forces and top executives at European and North American corporations.

Although CynoSure Prime does not plan to release the plaintext passwords, the cracking team has disclosed enough information for others to crack the passwords.

This means it is probably only a matter of time before cyber criminals crack the Ashley Madison passwords and begin using them to attempt to access every online service on the planet.

“Therefore, if you have used the same password anywhere else on the internet, you need to change it immediately,” wrote independent security consultant Graham Cluley in a blog post.  

It is always important to have strong, hard-to-crack and – crucially – unique passwords for every online account, he said.

“Avoid future headaches, have a long hard think about your passwords – and make sure all of them are unique. If – like me and 99.999% of the population – you can't remember lots of complicated passwords, invest in a decent password manager,” said Cluley.

Weak encryption adds to lawsuit woes

The fact that the passwords are proving crackable could make things worse for Ashley Madison and its parent company, by giving rise to fresh lawsuits.

Failure to encrypt the passwords properly could add impetus to the several federal lawsuits filed in the US, and the class action suit filed in Canada.

The US lawsuits are all anonymous and all allege breach of contract, negligence and violation of various state and privacy laws by Ashley Madison and ALM.

One lawsuit filed in Los Angeles accuses both companies of negligence and invasion of privacy, as well as causing emotional distress.

Read more about hacking

Read more on Privacy and data protection