11 million Ashley Madison passwords revealed.
NEW YORK (CNNMoney) — As if having your most private information exposed by hackers wasn’t enough … now millions of Ashley Madison’s passwords have been revealed. Working the phone lines at Ashley Madison, a website catering to adulterers, requires a certain personality — an open mind, a non-judgmental attitude and a high tolerance for verbal abuse.More than 11 million encrypted passwords that were stolen from the online dating service have now been deciphered, according to a password cracking group.After hackers leaked Ashley Madison data in three massive dumps, security experts discovered a commendable surprise within the infidelity site’s source code.A man from Madison, Tennessee, has filed the first lawsuit in Mississippi against Ashley Madison after a hacker group’s data breach of the affair website.
A group of password-cracking hobbyists, analyzing the data released by the Ashley Madison hackers, have found mistakes in the way the website encrypted about half of the 32 million stolen accounts. But even the most battle-hardened staff had a tough time getting through the calls where a woman, after suspecting her husband had been looking for an affair on the website, handed the phone off to the kids. “People would get their children to call in and say things like, ‘You’ve ruined our family, I hope you’re happy, my mommy’s crying, it’s all your fault.’ That’s a little sobering,” said one former customer service representative. Back in August, the hacking collective known as “The Impact Team,” leaked millions of users’ personal information – such as their email address – and dumped gigabytes of data using the dark web via Tor browsers. The man, listed anonymously in court papers as John Doe, claims the hack that revealed his account on the controversial website ruined his marriage and may also cost him his job. CynoSure Prime determined that Ashley Madison had made two strange mistakes when it encrypted about 15 million customer passwords: 1) it converted them all to lowercase letters and 2) it ran one of the weakest available encryption algorithms on the passwords.
Properly encrypted, “Password” would appear as the far more complex (and essentially impossible to crack): “$2a$10$ci9jdQQRdTe4U2wIncJt9uRs.HKatci/30iJcXDzsfqtX4APwTaLS.” The less-safe encryption tool Ashley Madison used is about a million times faster to crack than the more robust one, CynoSure Prime said. It would just get intense.” But working inside Ashley Madison wasn’t all tears and death threats, according to multiple former employees at the recently hacked Toronto-based website tracked down by the Financial Post. The lawsuit says the man created an account with Ashley Madison in 2010, which included a user name and password, personal information and photographs. “Needless to say, this dumping of sensitive personal and financial information is bound to have catastrophic effects on the lives of the website’s users,” the lawsuit says.
You would need to have a lot of speed and processing power (i.e. lots of computers) because it’s designed to be hard to break by requiring an expensive amount of resources. Employees remember high pay, free beer on Fridays and a manager who, after losing a bet, flawlessly performed Jay-Z’s rap from Mariah Carey’s 1999 hit “Heartbreaker” in front of the entire office (“She calls me a heartbreaker, when we apart it makes her, want a piece of paper, scribble down ‘I hate ya.’”). However, CynoSure Prime went through the site source code and discovered more than 15 million login tokens were cryptographically protected by MD5, a faster algorithm designed for high accuracy, but is less effective, The Next Web reported. The team, which calls itself “CynoSure Prime,” was able to decode them by exploiting fatal flaws in the developers’ implementation of a password obfuscation technique known as hashing. Those perks came with a condition, the employees said: a wide-ranging non-disclosure agreement employees had to sign, and which extends long after they leave their job.
To be technical, the programmers had used a hashing algorithm called “bcrypt,” which makes information so encoded extraordinarily difficult to crack. The cipher is designed to hinder hacking attempts like a ballistic vest blocking bullet rounds. “We wondered if it had always been this way,” the Cynosure team wrote in its blog post, describing what prompted the group to dig through thousands of lines of source code to find out. But with the company under intense scrutiny, following a serious data breach in which hackers — claiming to be offended by the website’s practices — leaked a database of the site’s member information, none of the current employees agreed to be interviewed. So a hacker who uncovers your password on a site like Ashley Madison could easily click over to bankofamerica.com, gmail.com or facebook.com and have a good shot at getting into your bank, email or social network account. Most of them said they experienced a psychological disconnect between the positive work environment and the company’s business practices, which they described with words like “sleazy,” “scummy” and “blatantly manipulative.” Their comments perhaps explain how elements of the company’s business model revealed by the hack worked in practice, with the promise of sex and suggestive come-ons that were, in later years, frequently generated by computers that that could part lustful men from hundreds of dollars within minutes of logging on.
That gave the group an entry point. “[T]his line was changed on 2012-06-14,” the team wrote of the switch from the MD5 to the bcrypt algorithm on June 14, 2012. “This meant that we could crack accounts created prior to this date.” Cynosure told Fortune that it has verifiably cracked 11,542,930 of the passwords so far—”using the discoveries we have made AND also other methods which have not talked about yet”—and has 3,720,051 tokens left to go. Paul Keable, a spokesman for Avid Life, the parent company of Ashley Madison, provided an emailed statement in response to a request for comment regarding the allegations made by former employees. “As we have stated in the past, as this is an ongoing investigation, we are limited in what we can say. Calls from angry spouses were traumatizing, but far more common, former workers say, were calls from angry men — clients demanding a refund after finding out they had rapidly racked up bills far steeper than they had realized. And many new users miss the fact that their messages are automatically marked priority by default, unless users make a point of changing their settings to turn the default option off. That means a user who sent messages to the 10 female profiles on the first page of results (which is generally a new member’s first move) had already burned through his 50-credit starter package.
But many also complained they were unaware of another default setting, one that automatically charged their credit cards for a new package of credits, once credits ran out — at a cost of US$79.99. With a few more messages, some 20- to 50-credit “virtual gifts” to the ladies on the other end and some time spent in a chat session (30 credits for 30 minutes), the client could find himself having burned through more than $500.
When an ad would be refused by a TV network or transit system, or would inflame the Internet over for being so provocative, a spike of new sign-ups would shortly follow. That would mean that Ashley Madison’s bots could effectively pass the famous “Turing test” for artificial intelligence — where a human could not detect even after a few questions that he was talking to a machine and not another person. (Not always, though: a consumer complaint was sent to Ashley Madison by the office of California Attorney General Kamala Harris in 2012 after a member became suspicious of how many women were starting conversations with the exact same phrase: “are you online?”) Gizmodo claimed in its reporting that users would spend their first dollar on the site engaging with a computer 80 per cent of the time.
Still, whatever the claims about the company’s practices, Avid Life executives were evidently ready to answer to more scrutiny and transparency in a bid to take the company public on capital markets. Former workers described a heavy moderation process for profiles before they could go live, with staff removing photos featuring identifying details such as licence plates, visible address numbers on houses, shots including the members’ wives and children, and even visible work identification badges with members’ full names. In most ways, it was just a normal office job, they said — quite different from the image depicted in the company’s sexually charged advertisements featuring models in various states of undress. And most of those interviewed remembered Noel Biderman, the long-serving chief executive — who took the company from a small local startup to a global brand, before stepping down last month — as a kind and approachable boss.
They report that the office was badly shaken by Biderman’s departure — and rattled by the fact the hack is reported to have been an inside job from a disgruntled one-time employee. Understandably, there is also a growing concern that they might not have their jobs for much longer if the repercussions from the hack drive the company out of business. Fahim described his job as “the guy behind the scenes making sure everything runs smoothly,” reporting directly to the executive level of the company. Fahim said that while the company did everything commercially reasonable to protect the site, the site’s age posed security and logistical challenges.
Launched in 2002, Ashley Madison’s code grew clunkier and hard to change, initially written by developers who left the company long ago. “They took security as seriously as any web organization would. It was predictable, he said, that the site would someday peeve the wrong person — someone with the technical know-how and persistence to pull off a hack. “But was this hacker group justified in doing what they did?