[Cryptography] [FORGED] Re: millions of Ashley Madison bcrypt hashes cracked efficiently

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Sep 13 06:14:49 EDT 2015


John Kelsey <crypto.jmk at gmail.com> writes:

>I wonder how that ratio (90%+ of the women there were fake) compares with
>other dating sites.  My uninformed guess is that it's probably comparable to
>other sites.

>From a talk a few years ago by someone who worked in security for a major
dating site, the number of (obviously) fake profiles is actually quite small
because they very actively police the site for scammers.  "Obviously fake"
means people who sign up, create a fake profile, and then start contacting
other members to take them off-site.  The profiles typically have impossible
(or at least unlikely) combinations of attributes (location, profession, age,
and so on), or fit a certain profile (from memory firemen and... some similar
profession were popular for attracting female victims, for guys I think it was
just anything with a pulse :-), they're created at unusual times, and so on.

Not-so-obviously fake profiles were compromised accounts where the scammers
invested a lot of time spear-phishing individuals.  These were hard to catch,
but also yielded a low rate of return for the scammer.

In terms of the most significant demographic for non-active accounts (which
would be the closest equivalent to a fake profile on A-M), that was people who
signed up, set up a minimal profile to allow them to have a look around
(anecdotally, alongside general tire-kickers, many of them were people keeping
tabs on exes and things), and then never came back.  He wasn't terribly
forthcoming with figures for this, but reading between the lines it seemed the
actual figure for this type of account was "a lot".

Peter.


More information about the cryptography mailing list