The passwords to over 11 million Ashley Madison accounts have been revealed, after a hacking group exploited weaknesses in the company's encryption methods.
It’s been nearly a month since the dating website Ashley Madison, advertised as a place to go if you’re looking to engage in an affair, was hacked. According to a report from CNN, however, the details about the site’s practices and users are still flowing in. A recent data dump has revealed the passwords to nearly 11 million user accounts for the site.
The data released by the original Ashley Madison hackers contained a fatal error in the way the company originally encrypted half of the 32 million accounts that were compromised. A password-cracking team of hackers called CynoSure Prime was able to exploit this error and produce the passwords to nearly 11 million of these accounts.
The group noticed two glaring mistakes in Ashley Madison’s encryption of about 15 million passwords. It converted each to lowercase letters, and used a surprisingly weak encryption algorithm to protect the passwords.
According to CynoSure Prime, the encryption tool that Ashley Madison used was significantly easier to crack than more robust versions. It remains unclear as to why the company switched from the weaker version for half of its accounts.
Many of the passwords were easy to guess, including strings of keys like “123456,” “qwerty,” and “password.” Others included “secret,” “helpme,” and “Yamaha.”
Password-guessing algorithms were able to correctly guess many of these common passwords, which could be connected to user accounts on other sites. This poses serious identity theft concerns, and could lead to trouble further down the road for Ashley Madison users.