The CynoSure Prime team realized that attempting to brute-force the bcrypt hashes will not get them much further, so they started to look for possible errors in how passwords were handled on the website.
A variable called $loginkey piqued their interest. The team found two locations in the code where it was generated, but in slightly different ways.
In one instance $loginkey was generated upon account creation and was defined as the MD5 hash of two other variables: one holding the username and one holding the bcrypt hash of the user's password.
This made the team wonder if the password variable had always been defined as the password's hash. Digging through old code changes they found that prior to June 2012, the variable was actually using the user's plain text password.
It also turned out that when the Ashley Madison developers later implemented bcrypt hashing, they didn't bother regenerating the loginkey variables for early users.
"This meant that we could crack accounts created prior to this date with simple salted MD5," the team said in a blog post. Also, the old code converted the password to lowercase characters before using it, reducing the number of possible characters in a password to 26 and making it faster to brute-force it, they said.
The second instance of $loginkey generation used a combination of the username, password and email variables, plus a constant. This method of generating the $loginkey was used when a user modified their account attributes -- username, password or email.
However, as in the first case, it hadn't always used the bcrypt password hash as the password variable. This meant that the CynoSure team could now recover passwords for accounts that had been modified prior to the code change in 2012.
By creating rules in their MD5 hash cracking program, the team managed to isolate the securely generated, post-2012, loginkey variables from the insecure ones. Just a few hours later, they had already cracked 2.6 million passwords and after a few days, 11.2 million.
Avid Life Media, the company that owns AshleyMadison.com, did not immediately respond to a request for comment.
The issue, though, poses significant online security risks for a very large number of Ashley Madison users who might have used the same password on other websites and haven't changed it since then. Past breaches have shown that password reuse is rampant on the Internet.
The incident should also serve as a lesson to other developers: When you implement a new security feature in your website or application, make sure that it's applied to everyone, not just new users.
Sign up for Computerworld eNewsletters.