One month after the violation was notified, hackers released the first pack of stolen data. Email addresses, passwords, and credit card transactions leaked from 18 August. A few days later, more data came in, including: internal emails with Avid Media Life's parent company.
The tens of millions of passwords, leaked from Ashley Madison's page, were encrypted, with bcrypt. Robert Graham security researcher at Errata Security, Reported on their blog, that the event was a "refreshing change." This means that users with strong passwords are "safe."
But we can not say the same about weak passwords.
Security expert Dean Pierce Reported how he managed to break the encryption of weak passwords with a "cracking rig."
The results should not surprise us. Using weak passwords on the site was terrible.
Pierce spent five days executing an automated password "crack" process, and stopped at about 0,0006 percent of all leaked data. But that means 4.000 decrypted passwords.
The most common password was the well-known “123456”, while the also known “password” came in second. (You can download the full list from Google Drive, by Pierce.)
It is worth noting that in the case of Ashley Madison, it is not clear at what point in time the data with the passwords leaked. It is likely that the website allowed weak passwords in the first days of its operation, and later required stronger when signing up for the site. .
“It may also be impossible to break any password with bcrypt, but given that many users use weak passwords, it doesn't matter if the passwords are bcrypted and salted. Some will break. ”
See the worst passwords from Ashley Madison's hack
|f ** kyou||20|
|and ** sticks||19|
|f *** me||19|