Originally thought to be secure, the site's password protections had serious programming flaws.
After hackers leaked Ashley Madison data in three massive dumps, security experts discovered a commendable surprise within the infidelity site’s source code. Ashley Madison‘s programmers had, it seemed, protected users’ passwords with strong cryptography. Given the time and computing power needed to crack the whole lot, some researchers believed deciphering it might take centuries.
Turns out that wasn’t the whole story. A group of hobbyist hackers revealed in a blog post on Thursday that it has cracked more than 11 million of the some 36 million credentials registered to the site. The team, which calls itself “CynoSure Prime,” was able to decode them by exploiting fatal flaws in the developers’ implementation of a password obfuscation technique known as hashing.
To be technical, the programmers had used a hashing algorithm called “bcrypt,” which makes information so encoded extraordinarily difficult to crack. The cipher is designed to hinder hacking attempts like a ballistic vest blocking bullet rounds.
“We wondered if it had always been this way,” the Cynosure team wrote in its blog post, describing what prompted the group to dig through thousands of lines of source code to find out.
Having inspected the computer instructions, the team uncovered several critical weaknesses. One of the worst of them: More than 15 million Ashley Madison passwords had originally been secured with a different hashing algorithm, MD5, which is more of a quick-and-dirty crypto-procedure than a true safeguard. That gave the group an entry point.
“[T]his line was changed on 2012-06-14,” the team wrote of the switch from the MD5 to the bcrypt algorithm on June 14, 2012. “This meant that we could crack accounts created prior to this date.”
Cynosure told Fortune that it has verifiably cracked 11,542,930 of the passwords so far—”using the discoveries we have made AND also other methods which have not talked about yet”—and has 3,720,051 tokens left to go. Less than 5 million of the cracked passwords are unique, according to the team. That means roughly 2-in-5 of them are repeats.
“These numbers are constantly in flux as we have more cracks coming in waiting in the validation queue,” the team wrote to Fortune in an email. “We will be releasing a package to the press containing all the statistics for them to discuss in their articles soon.”
Although the team has chosen for the moment not to release the decrypted passwords, it has walked through its methodology in the aforementioned blog post, letting anyone with the know-how to follow suit and replicate the results. You can read more about the team’s methods here.
For more on Ashley Madison, watch this video below.