[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently
phill at hallambaker.com
Fri Sep 11 10:53:08 EDT 2015
On Fri, Sep 11, 2015 at 1:16 AM, Ray Dillinger <bear at sonic.net> wrote:
> On 09/10/2015 09:42 PM, Tony Arcieri wrote:
> > tl;dr: they cracked MD5 digests instead. The MD5 version was downcased.
> > Once recovering the downcased password, they recovered the case sensitive
> > version by brute forcing all possible case variants against the bcrypt
> > digests.
> They've cracked 11.2 million accounts "so far". I'm completely stunned
> that Ashley Madison had 11.2 million accounts in the first place, and
> that counts only those who had signed up *before* they switched to more
> secure methodology. That would be approximately one for every 30
> people in the US, and Ghu alone knows how many new accounts since
> then and how many more insecure accounts remain to be cracked. I
> just didn't imagine that such a skeevy "service" would attract so
> many clients.
> I guess I haven't been reading the news closely enough; I've been
> treating it as 'ho hum more of the same.' But I guess it has the
> scale to be significant after all.
A large number of the users likely had multiple accounts. The way sharks
work is that first they try chatting a woman up with approach X till they
are rejected. At that point they have invested some time in finding out
about them and have as collateral a lot of personal details. So on approach
2 they can refine their strategy, oh I am also into ultimate pogo-frisbee
what a coincidence!
Welcome to fin-land.
Reading the forums, it looked like men were creating female accounts so
they could see what approaches other men were taking.
Thing is, you only need to convert 3% of 30 million accounts to have a
million paid accounts. I suspect most people signed up for the lowest tier
and realized it was a scam. That is still $60 million.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography