[Cryptography] millions of Ashley Madison bcrypt hashes cracked efficiently

Paul Ferguson fergdawgster at mykolab.com
Fri Sep 11 22:48:28 EDT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 9/10/2015 10:51 PM, Tom Mitchell wrote:

> On Thu, Sep 10, 2015 at 10:16 PM, Ray Dillinger <bear at sonic.net 
> <mailto:bear at sonic.net>> wrote:
> 
> 
> 
> On 09/10/2015 09:42 PM, Tony Arcieri wrote:
>> tl;dr: they cracked MD5 digests instead. The MD5 version was
> downcased.
>> Once recovering the downcased password, they recovered the case
> sensitive
>> version by brute forcing all possible case variants against the
>> bcrypt digests.
>> 
> 
> They've cracked 11.2 million accounts "so far".  I'm completely
> stunned that Ashley Madison had 11.2 million accounts i
> 
> 
> Some reports say many of the accounts were fabrications.   i.e.
> Some 95% of the female accounts were fabricated. Fabrications or
> not this is amazing. With so many fabrications one wonders if this
> attack could be used to identify the real accounts. Identifying the
> real accounts (eliminating the 95% false accounts) further
> amplifies efforts to expose real user accounts+info.
> 
> This is still amazing at many levels.
> 
> 

We've seen some of our spam trap dummy accounts subscribed into this
mess. :-)

http://blog.trendmicro.com/trendlabs-security-intelligence/ashley-madiso
n-why-do-our-honeypots-have-accounts-on-your-website/

- - ferg



- -- 
Paul Ferguson
PGP Public Key ID: 0x54DC85B2
Key fingerprint: 19EC 2945 FEE8 D6C8 58A1 CE53 2896 AC75 54DC 85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iF4EAREIAAYFAlXzknwACgkQKJasdVTchbKMBgEAySS3e/cDibXKZ0uFRwbSaJHa
rW5RVniXsjO/jj4cc2oBAK1jRbrRT2/GQ+fIRWnOuebMV9xFdWUgXU4B9tNa7y0h
=diwD
-----END PGP SIGNATURE-----


More information about the cryptography mailing list