Hacked cheating site Ashley Madison will pay $1.6 million to FTC for breach

Enlarge

Ashley Madison, the dating website for married people seeking extramarital affairs, will pay the Federal Trade Commission (FTC) $1.6 million for its failure to protect the account information of 36 million users, for failing to delete account information after regretful users paid a $19 fee, and for luring users with fake accounts of “female” users.

In a press conference call, FTC Chairwoman Edith Ramirez said the commission had secured a $17.5 million settlement, but the company will only pay $1.6 million of that amount due to inability to pay. Ashley Madison's operators are also required to implement a data security program that will be audited by a third party, according to the settlement.

The website was hacked in August 2015, and the hack resulted in the release of user names, first and last names, hacked passwords, partial credit card data, street names, phone numbers, records of transactions, and e-mail addresses. In the wake of the hack, it was discovered that many people who paid the company $20 for a “Full Delete” had been bilked—Ashley Madison parent company Avid Life Media, now Ruby Corporation, had left that data on its servers for up to 12 months after the request had been made.

Read 4 remaining paragraphs | Comments

Ashley Madison passwords like “thisiswrong” tap cheaters’ guilt and denial

On Friday, members of the CynoSure Prime password-cracking collective published the top 100 mostly commonly used Ashley Madison passwords recovered so far. With top entries including 123456, 12345, and password, the list underscored that accounts on the site dedicated to people cheating on their romantic partners were no better than those on LinkedIn and more above-ground sites.

Now CynoSure Prime members are back with a new list highlighting some of the most entertaining passwords found so far among the 11.7 million cracked accounts. With entries including goodguydoingthewrongthing, ishouldnotbedoingthis, thisiswrong, and whatthehellamidoing, the list suggests some of the people felt guilty about setting up accounts on the site, or at least feigned feeling guilty. Others demonstrated just how oblivious many users were to the weakness of their own passwords. Examples include passcodes such as thisisagoodpassword, thebestpasswordever, superhardpassword, and mypasswordispassword.

For what little it's probably worth, the people who ultimately picked the first class of passwords seem to have some ambivalence about what they're doing. People behind the second seemed to think that adding a few extra words somehow made the passcodes harder to guess. But as Ars chronicled in the 2013 feature How the Bible and YouTube are fueling the next frontier of password cracking, even passwords with 36 or more characters are easy fodder for crackers. The lack of capital letters, numbers or special characters made the passphrases especially susceptible, although many of them are so predictable that even a sprinkling of a numbers or capital letters couldn't save them.

Read 5 remaining paragraphs | Comments

Top 100 list shows Ashley Madison passwords are just as weak as all the rest

The unwashed masses are horrible at picking passwords. We're reminded of this sad truism every time there's a major leak—like the 2012 dump of passwords belonging to LinkedIn users, for example. Now researchers who have cracked more than 11 million Ashley Madison passwords have released the top 100 choices users of that site picked. It won't come as a shock to hear that the passcodes are no better.

The top 10 Ashley Madison passwords are 123456, 12345, password, DEFAULT, 123456789, qwerty, 12345678, abc123, pussy, and 1234567. With the exception of choice number 9, the passwords look like they could have come from just about any site breach published over the past decade. What's disappointing here is that after more than 10 years of awareness, users continue to make such awful picks—and websites like Ashley Madison continue to allow them.

By virtue of being cracked, all of the 11.7 million passwords recovered so far were weak. Had they been long, randomly generated strings continuing upper- and lower-case letters, numbers and symbols, they'd be among the 3.7 million cryptographic hashes that still haven't been deciphered. As bad as it is that 11.7 million accounts were protected by weak passwords, there's yet another number the underscores just how careless the Ashley Madison masses were: Only 4.6 million of the 11.7 million recovered passwords were unique.

Read 1 remaining paragraphs | Comments

Ashley Madison password crack could spell trouble across the Internet

Now that a hobbyist team has uncovered programming errors that make more than 15 million of the Ashley Madison account passwords orders of magnitude faster to crack, it will be only a matter of time before a large percentage of them are available to hackers everywhere. And given how rampant password reuse is, the tsunami-sized torrent is sure to affect accounts all over the Internet.

As Ars chronicled in a 2012 feature headlined Why passwords have never been weaker—and crackers have never been stronger, it's not unusual for Twitter, Amazon, and online services to monitor large leaks and require password changes for affected users. As we reported:

In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.

The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.

"The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, "show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks."

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

Until now, there was good reason to believe the 36 million Ashley Madison user passwords published last month would never be cracked. After all, website developers protected them with bcrypt, a hash function so slow and computationally demanding it would require years or decades of around-the-clock processing with super-expensive computers to decipher even a small percentage of them. That assurance was shattered with the discovery of the programming error disclosed by a group calling itself CynoSure Prime. Members have already exploited the weakness to crack more than 11 million Ashley Madison user passwords, and they hope to tackle another four million in the next week or two.

Read 1 remaining paragraphs | Comments