Andrea Danti - Fotolia

Ashley Madison data breach escalates with password encryption failure

At least 15 million improperly encrypted Ashley Madison passwords are reported crackable, with enormous implications for members and their employers

The leaking of the personal details of around 32 million members of cheating site Ashley Madison was bad, but just got a great deal worse as members' encrypted passwords proved to be crackable.

Hackers – who call themselves The Impact Team – published the data after Ashley Madison parent company Avid Life Media failed to give in to their demands to take down cheating site Ashley Madison and dating site Established Men.

The one consolation for Ashley Madison members, including more than a million in the UK, was that the passwords were encrypted.

But, it appears Ashley Madison has failed them yet again – with programming errors and shortcuts that have made at least 15 million improperly encrypted passwords crackable, reports Ars Techica.

Done properly, it would have taken years to crack each password and several lifetimes to crack all of them, but a group of hobbyists has reportedly managed to crack 15 million in just 10 days.

The cracking team – which calls itself CynoSure Prime – identified the weakness in the encryption after reviewing code leaked along with the password, publishing the details in a blog post.

Password duplication

Recent research revealed that 56% of office workers use the same passwords for personal and corporate accounts, and rely on an average of just three different passwords.

The fact that Ashley Madison’s passwords are crackable could have enormous implications for its members and their employers.

This is especially worrying because those affected by one of the world’s largest data breaches to date reportedly include UK civil servants, US officials, members of the US armed forces and top executives at European and North American corporations.

Although CynoSure Prime does not plan to release the plaintext passwords, the cracking team has disclosed enough information for others to crack the passwords.

This means it is probably only a matter of time before cyber criminals crack the Ashley Madison passwords and begin using them to attempt to access every online service on the planet.

“Therefore, if you have used the same password anywhere else on the internet, you need to change it immediately,” wrote independent security consultant Graham Cluley in a blog post.  

It is always important to have strong, hard-to-crack and – crucially – unique passwords for every online account, he said.

“Avoid future headaches, have a long hard think about your passwords – and make sure all of them are unique. If – like me and 99.999% of the population – you can't remember lots of complicated passwords, invest in a decent password manager,” said Cluley.

Weak encryption adds to lawsuit woes

The fact that the passwords are proving crackable could make things worse for Ashley Madison and its parent company, by giving rise to fresh lawsuits.

Failure to encrypt the passwords properly could add impetus to the several federal lawsuits filed in the US, and the class action suit filed in Canada.

The US lawsuits are all anonymous and all allege breach of contract, negligence and violation of various state and privacy laws by Ashley Madison and ALM.

One lawsuit filed in Los Angeles accuses both companies of negligence and invasion of privacy, as well as causing emotional distress.

Read more about hacking

Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

This is disconcerting on multiple levels. Cheaters are reaping what they have sown.

Criminal hackers have helped to destroy the lives of many innocent victims, specifically the
family and friends of the adulterers.

Educate the masses - "anything can be hacked".
There is really nothing to say except that Ashley Madison is an evil enterprise that facilitates the wrecking of marriages and erodes western values even further from what they already are. Anyone who has such low regard for their spouse (whom they married under the sanctity of vows to God) and used this horrible service... I can only hope they are exposed; their marriage is destroyed; and their spouse freed from the clutches of the pig in question.
A message to the apostate owners of AM: there is a God, and he is counting every evil thing you accomplish, and you will be held to account in a few short years...
I hope every single account is blown wide open on that site and will pray for the ruination of the monsters who conceived of and built the damn thing.
There's a serious problem exposed here and it has little to do with God's retribution. People have always cheated since before the bible was a book or added an extra concubine when the itch commanded. 

The point here is that Ashley Madison was a poorly run company with negligible security. And, even worse, users were stupid enough to blithely hand over their personal info for a peek behind the curtain. 

Now hackers have figured out the shortcuts that were used to store that information. 

The takeaway is not a call for the morality police, but for better, smarter security. Let the cheaters (or open marriage folks or swingers or whatever) deal with their private lives on their own. It's OUR job to deal with the security issues here. And they're really, really bad. 
Did the number of users with weak passwords provide the crib to attack an OK encryption algorithm or was that latter inherently weak.
@ncberns “The point here is that Ashley Madison was a poorly run company with negligible security.” Bravo! And, it’s just one example of the many (many) companies out there that have negligible security to which people entrust their personal information.
So is the issue poor passwords for the users, or is it that this dubious site failed to do its diligence?  Or is it both?  

Well we ever really know?
Or is it that that the site used current "best practice" and that failed because it is inadequate against a serious attack?