A password cracking group claims to have decoded more than 11 million passwords from the Ashley Madison website for cheating spouses. Just over a month after hackers leaked all stolen customer data online, the amateur group called Cynosure Prime, figured out that the dating site changed the way passwords were stored.
It was initially said that the encrypted passwords were almost uncrackable because of the way they were scrambled. But when Ashley Madison's site developers made programming changes, the passwords were poorly protected and Cynosure Prime said in a blogpost that it was able to retrieve the data.
It said it was able "to gain enormous speed boosts in cracking the bcrypt hashed passwords" after it found two insecure functions in the site code. So instead of it taking years for it to crack the 11 million passwords, it said it was able to do it in around 11 days.
While it was not sure why Ashley Madison's developers had made the changes, it told news site Ars Technica that it thought they had been introduced so that users could quickly log in to the site. However, it said it would not be releasing the passwords it had recovered.
The news is sure to be a blow to the website's parent company Avid Life Media (ALM), which did not respond when approached by IBTimes UK for comment.
Along with Ashley Madison, data was compromised from two of its other dating sites, Cougar Life and Established Men, when a group calling itself the Impact Team compromised the site in |August.
After the intrusion, the hackers demanded that Ashley Madison and Established Men, which promises to connect beautiful young women with rich sugar daddies "to fulfill their lifestyle needs", take down the two sites.
CougarLife, a sister site run by ALM that promises to connect older women with younger men was not targeted by the group which claimed to have complete access to the company's database, including every single members user records.
Ashley Madison, which encourages married users to cheat on their spouses, claimed to have 37 million members.
While the hackers took issue with the questionable morals of the sites, their main point of contention was the fact that Ashley Madison charges users a £15 fee to carry out a full delete of their information should they decide to leave it. They claimed that ALM actually retained that date on their company servers.
When their warnings were ignored by ALM, who said they had beefed up security following the attack, the group dumped the user information onto the dark web using an Onion address accessible only through the Tor browser.
Since then, disgruntled users in a number of countries have begun multimillion dollar lawsuits against the site after their details were made public.