When a team of hackers dumped troves of data online that unmasked millions of users of the infidelity dating website Ashley Madison, users panicked that the leak would wreak havoc on their personal lives — tearing apart their relationships or forever branding them a cheater in the eyes of everyone they know.
But because Ashley Madison appears to have stored only the last four digits of users’ credit cards and the company stored passwords using a cryptographic security algorithm called bcrypt, there was far less concern about the usual post-hack headaches like identity theft or fraud.
At one point, though, Ashley Madison appears to have stored passwords without bothering to either hash or encrypt them, two security practices that hinder hackers from being able to use passwords if they get access to them.
In a file that seems to be from the company's quality assurance engineering team, 765,607 user names and passwords all appear in plain text. By matching those user names with user names in a separate file that also contains users' e-mail addresses, anyone with access to both files (meaning, now, everyone on the Internet) can easily gain access to thousands of logins for Ashley Madison.
And, as we know, many people use one password for everything, so having access to their Ashley Madison password and matching e-mail address may make victims of the leak vulnerable to a hack elsewhere.
Security expert Erik Cabetas ran an analysis of the data and found that most of the passwords weren't all that secure. Among the top passwords were 5,882 people using the password "123456," 2,406 people using the password "password" and 950 people using the password "pussy." (Other popular passwords included "696969" and "fuckme.")
The data here isn't perfect. Merging the two files reveals only about 290,000 e-mail and password matches of the 765,607 unique usernames included in the data.
To verify that these were indeed working passwords that belonged to Ashley Madison users, I e-mailed a random sampling of 2,000 people whose e-mail and passwords appeared to match. The vast majority of those e-mails bounced back, indicating that this is probably a pretty old file containing information for users that have long since stopped using the site. A few said they had never signed up, an indication that they were victims of Ashley Madison's policy of not requiring e-mail verification to create an account. But a few people confirmed that the password included in the leaked file was indeed either a password they currently use or had used on the site. Ashley Madison parent company Avid Life Media declined to comment, directing me to previously released statements on the link.
This leaked password data for a few hundred thousand users is a small fraction of the other, possibly more damaging data presently floating around out there on Ashley Madison's more than 37 million members.
But while CEO Noel Biderman loves to brag about Ashley Madison's security policies and the company website still assures users that it's incredibly secure, this makes clear that at points Ashley Madison's security practices have been just plain sloppy.
Of course even using a salted bcrypt hashing algorithm like Ashley Madison seems to for most of its password data doesn't really mean it's secure. Security researcher Dean Pierce today claimed to have cracked 4,000 hashed passwords from the leak. Using a $1,500 cracking rig, after five days Pierce says he was able to crack 4,000 passwords. He similarly found that very few passwords were unique and many were also simple passwords like "password", making them considerably easier to crack.
The lesson here might be two-fold: Ashley Madison's security protocols were lacking, but even good security practices can't protect users from choosing bad passwords.