Los Angeles

More than 11 million passwords stolen from the Ashley Madison infidelity dating website have been decoded, says a password cracking group.

When stolen data from the site was first dumped, the encrypted passwords were said to be almost uncrackable because of the way they were scrambled. But programming changes by the site’s developers meant more than a third of the passwords were poorly protected. The cracking group said it would not be sharing the decoded passwords. However, it had detailed the method it used to get at the passwords which would make it straightforward for criminal hackers to replicate the work. This may mean those who reused their Ashley Madison password could see other accounts breached.

The Ashley Madison website was breached by a group of hackers called The Impact Team which stole gigabytes of data including login names and passwords of more than 30 million users. Initial analysis of the data dump showed that the passwords were stored on a database after they had been protected using a process known as hashing that employs the bcrypt algorithm.

The way this scrambles passwords makes it hard to carry out so-called “brute force” attacks that try lots of different word and letter combinations because hashing with bcrypt takes a lot of computer power. As a result, a brute force attack on the passwords would take years.

However, an amateur password cracking group called Cynosure Prime looking through code also stolen from Ashley Madison realised that at some point the site changed the way passwords were stored. This stripped away the protection bcrypt bestowed on passwords.

In a blogpost, the group said it had found two insecure functions in the site code that meant it was “able to gain enormous speed boosts in cracking the bcrypt hashed passwords”. Instead of taking years, the 11 million passwords were cracked in about 11 days.