[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently

Phillip Hallam-Baker phill at hallambaker.com
Fri Sep 11 10:53:08 EDT 2015

On Fri, Sep 11, 2015 at 1:16 AM, Ray Dillinger <bear at sonic.net> wrote:

> On 09/10/2015 09:42 PM, Tony Arcieri wrote:
> > tl;dr: they cracked MD5 digests instead. The MD5 version was downcased.
> > Once recovering the downcased password, they recovered the case sensitive
> > version by brute forcing all possible case variants against the bcrypt
> > digests.
> >
> They've cracked 11.2 million accounts "so far".  I'm completely stunned
> that Ashley Madison had 11.2 million accounts in the first place, and
> that counts only those who had signed up *before* they switched to more
> secure methodology.  That would be approximately one for every 30
> people in the US, and Ghu alone knows how many new accounts since
> then and how many more insecure accounts remain to be cracked.  I
> just didn't imagine that such a skeevy "service" would attract so
> many clients.
> I guess I haven't been reading the news closely enough; I've been
> treating it as 'ho hum more of the same.' But I guess it has the
> scale to be significant after all.
>                         Bear
A large number of the users likely had multiple accounts. The way sharks
work is that first they try chatting a woman up with approach X till they
are rejected. At that point they have invested some time in finding out
about them and have as collateral a lot of personal details. So on approach
2 they can refine their strategy, oh I am also into ultimate pogo-frisbee
what a coincidence!

Welcome to fin-land.

Reading the forums, it looked like men were creating female accounts so
they could see what approaches other men were taking.

Thing is, you only need to convert 3% of 30 million accounts to have a
million paid accounts. I suspect most people signed up for the lowest tier
and realized it was a scam. That is still $60 million.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150911/3c86060b/attachment.html>

More information about the cryptography mailing list