A San Diego-based password cracking group has taken a big step towards deciphering some of the 36 million odd passwords leaked in last month’s Ashley Madison breach, a move that could quickly lead to the widespread hacking of any users who used the same password on other services.

Hackers had previously attempted – and succeeded – to crack some users’ Ashley Madison passwords, but only managed to decode a small number of them–and only because they were poor passwords to begin with.

Members of CynoSure Prime, a collective skilled at cracking passwords, announced Thursday morning however that it had found a new weakness in tokens they found in the second round of dumps from the extra-marital website that surfaced online in mid-August. That dump purportedly also contained emails belonging to the CEO of parent company Avid Life Media, along with source code.

Instead of targeting the leaked passwords hashed with bcrypt, a task that would have proved equally tough and time consuming, when the sleuths at CynoSure Prime unearthed a cache of 15.26 million login tokens that were hashed with MD5, an algorithm with several known cryptographic weaknesses, they began attacking those.

“Instead of cracking the slow bcrypt hashes directly, which is the hot topic at the moment, we took a more efficient approach and simply attacked the MD5 […] tokens instead. Having cracked the token, we simply then had to case correct it against its bcrypt counterpart,” the crackers wrote in a blog entry this morning.

It took a few days, but by running the tokens they were able to crack against their bcrypt counterparts, the crackers claimed they were able to successfully decode over 11.2 million passwords – and that it’s working on cracking another four million.

According to Ars Technica, who has a deeper dive on the methods CynoSure Prime used, the crackers aren’t planning on publicly releasing the passwords but will divulge any additional details needed to dig up the passwords.

The weakness apparently stems from an error involving the passing of the plaintext account password through MD5 with the variable $loginkey. CynoSure Prime isn’t exactly sure what the variable was used for, but is speculating it was used to help users with automatic login.

“It was generated upon user account creation and was re-generated when the user modified their account details including username, password and email address,” CynoSure Prime writes in its blog post.

One member of CynoSure Prime told the publication that cracking the MD5 hashes was “one million times” faster than trying to crack the bcrypt hashes and that with the help of password-cracking software like MDXfind, the group only has roughly four million left to crack.

Categories: Cryptography