This is one of a multi-part series. For other instalments, see Romancing the code: Ashley’s Angels and internet demons.
As I mentioned in the previous post, it would be possible to debate the ethical and moral minefields surrounding the respective rights and wrongs of Ashley Madison, the adulterous users, and the Impact Team, and at the end of it we might still be no closer to deciding if it’s acceptable to use morally ambiguous methods to expose morally ambiguous (or possibly criminal) behaviour.
What is clear, however, is that the leak had wide-ranging consequences beyond simple embarrassment. From the moment the data was leaked, amateur and professional crackers went to work on the database containing some thirty-six million password hashes.
A password hash is a password that has been heavily disguised so that it cannot be read by a human. The idea here is to stop an admin with the necessary privileges simply looking in the password file and logging into your account for you.
Given their various failings in other respects, AM used a surprisingly robust (though not fool-proof) method of encrypting their passwords, known as bcrypt. Passwords hashed by bcrypt look like this one, which I’ve shamelessly borrowed from Wikipedia:
Initially, these hashes seemed secure since they had been derived using a high cost parameter (in simple terms: they had been made especially secure), and it appeared that with modern technology working at its hardest, cracking the whole database would take over 100,000 years. Unfortunately, however, due to poor practices by both the Ashley Madison engineers and those users who chose highly insecure passwords (like… password), a large portion of the hashes were compromised.
After others initially attempted to crack the passwords and struggled to resolve 4,000 of the easiest ones, a “password research collective” announced that it had cracked 11.7 million of the hashes (since that post that number has grown to over 14 million). The group, CynoSure Prime, then released some examples of the cracked passwords which prove remarkably illuminating in their own right.
It’s not unreasonable to assume, however, that others will have also been working on the dataset without making their results public, for the simple reason that users far too frequently employ the same password across multiple sites. In short, in many cases, getting access to these passwords will have been the equivalent of getting access to a user’s password for all their accounts, and when that is combined with all the other information available about them – name, address, date of birth, physical descriptions – the possibilities for nefarious activity become almost endless.
Within days, hundreds of users began to report spin-off crimes, including extortion, identity theft, and hate crime. Money-making scams sprang up. In return for a fee, some promised to remove user details from the leak in return for a fee, whilst others offered to trawl through the details and expose cheating spouses. And shortly after the leak, in Canada, two suicides were attributed to the exposure.
Read the next instalment – link here…